search

jonluca / Anubis-DB

Database to store previously found subdomains
56 stars 11 forks source link

fix(deps): update dependency url-parse to v1.5.9 [security] #60

Open renovate[bot] opened 2 years ago

renovate[bot] commented 2 years ago

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
url-parse 1.5.3 -> 1.5.9 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-0512

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

CVE-2022-0639

A specially crafted URL with an '@​' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular,

parse(\"http://@​/127.0.0.1\")

Will return:

{
 slashes: true,
 protocol: 'http:',
 hash: '',
 query: '',
 pathname: '/127.0.0.1',
 auth: '',
 host: '',
 port: '',
 hostname: '',
 password: '',
 username: '',
 origin: 'null',
 href: 'http:///127.0.0.1'
 }

If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.

CVE-2022-0686

url-parse prior to version 1.5.8 is vulnerable to Authorization Bypass Through User-Controlled Key.

CVE-2022-0691

Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL.

If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.

This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example:

const parse = require('url-parse')
const express = require('express')
const app = express()
const port = 3000

url = parse(\"\\bjavascript:alert(1)\")

console.log(url)

app.get('/', (req, res) => {
 if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")}
 })

app.listen(port, () => {
 console.log(`Example app listening on port ${port}`)
 })

Release Notes

unshiftio/url-parse ### [`v1.5.9`](https://togithub.com/unshiftio/url-parse/compare/1.5.8...1.5.9) [Compare Source](https://togithub.com/unshiftio/url-parse/compare/1.5.8...1.5.9) ### [`v1.5.8`](https://togithub.com/unshiftio/url-parse/compare/1.5.7...1.5.8) [Compare Source](https://togithub.com/unshiftio/url-parse/compare/1.5.7...1.5.8) ### [`v1.5.7`](https://togithub.com/unshiftio/url-parse/compare/1.5.6...1.5.7) [Compare Source](https://togithub.com/unshiftio/url-parse/compare/1.5.6...1.5.7) ### [`v1.5.6`](https://togithub.com/unshiftio/url-parse/compare/1.5.5...1.5.6) [Compare Source](https://togithub.com/unshiftio/url-parse/compare/1.5.5...1.5.6) ### [`v1.5.5`](https://togithub.com/unshiftio/url-parse/compare/1.5.4...1.5.5) [Compare Source](https://togithub.com/unshiftio/url-parse/compare/1.5.4...1.5.5) ### [`v1.5.4`](https://togithub.com/unshiftio/url-parse/compare/1.5.3...1.5.4) [Compare Source](https://togithub.com/unshiftio/url-parse/compare/1.5.3...1.5.4)

Configuration

πŸ“… Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by WhiteSource Renovate. View repository job log here.