mccalltd / AttributeRouting

Define your routes using attributes on actions in ASP.NET MVC and Web API.
http://mccalltd.github.io/AttributeRouting/
MIT License
416 stars 89 forks source link

Security Risk: Incorrect URL Validation using Incomplete RegEx parsing/validation logic in `StringExtensions.cs` #306

Open 247arjun opened 7 months ago

247arjun commented 7 months ago

PathAndQueryRegex and invalidUrlPattern are both incompletely defined, allowing multiple bypasses that can allow malformed/malicious URL input to be parsed incorrectly. This may expose code that uses the parsed URLs to security risk.

PathAndQueryRegex

Intended Usage: This regex is designed to separate the path and query parts of a URL. Actual Usage: It matches any characters not including a question mark for the path and optionally matches a query string starting with a question mark. Issue: The regex does not rigorously validate the URL structure. It incorrectly assumes any string with or without a ? character is a valid URL. It does not handle URL-encoded query params, backslashes etc.

invalidUrlPattern

Intended Usage: This regex aims to identify potentially harmful or invalid parts of a URL. Actual Usage: It combines several patterns to match URL parts containing certain special characters, consecutive dots, ending with a dot, or leading/trailing spaces. Issue: The dynamic construction of the regex based on the 'allowTokens' parameter could lead to regex injection if the parameter is influenced by user input. Moreover, the regex checks are somewhat superficial and do not fully ensure URL safety, potentially overlooking other forms of URL manipulation or encoding attacks.

Both regex objects suffer from incomplete validation logic that could lead to significant security vulnerabilities. The recommendations provided aim to address these issues by suggesting more rigorous and complete regex patterns for URL parsing and validation.