chore(deps): update dependency urijs to 1.19.11 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change
urijs	1.19.2 -> 1.19.11

GitHub Vulnerability Alerts

CVE-2020-26291

Impact

If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: https://expected-example.com\@​observed-example.com
Escaped string: https://expected-example.com\\@​observed-example.com (JavaScript strings must escape backslash)

Affected versions incorrectly return observed-example.com. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Patches

Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.

References

https://github.com/medialize/URI.js/releases/tag/v1.19.4 (complete fix for this bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (partial fix for this bypass)
PR #​233 (initial fix for backslash handling)

For more information

If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

Reporter credit

Alesandro Ortiz

CVE-2021-27516

Impact

If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (\) character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, the decision may be incorrect.

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: https:/\expected-example.com/path
Escaped string: https:/\\expected-example.com/path (JavaScript strings must escape backslash)

Affected versions incorrectly return no hostname. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Patches

Version 1.19.6 is patched against all known payload variants.

References

https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for this particular bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass)
PR #​233 (initial fix for backslash handling)

For more information

If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

Reporter credit

Yaniv Nizry from the CxSCA AppSec team at Checkmarx

CVE-2021-3647

Impact

If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a combination of backslash (\) and slash (/) characters as part of the scheme delimiter, e.g. scheme:/\/\/\hostname. If the hostname is used in security decisions, the decision may be incorrect.

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: https:/\/\/\expected-example.com/path
Escaped string: https:/\\/\\/\\expected-example.com/path (JavaScript strings must escape backslash)

Affected versions incorrectly return no hostname. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Patches

Version 1.19.7 is patched against all known payload variants.

References

https://github.com/medialize/URI.js/releases/tag/v1.19.7 (fix for this particular bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for related bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass)
PR #​233 (initial fix for backslash handling)

For more information

If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js

Reporter credit

ready-research via https://huntr.dev/

CVE-2022-0613

Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for CVE-2021-3647.

CVE-2022-24723

Impact

Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.

Patches

Patched in 1.19.9

Workarounds

Remove leading whitespace from values before passing them to URI.parse (e.g. via .href(value) or new URI(value)), e.g. by using

function remove_whitespace(url){
     const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
     url = url.replace(whitespace, '')
     return url
}

References

• https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/

For more information

If you have any questions or comments about this advisory:

• Open an issue in medialize/URI.js

CVE-2022-0868

urijs prior to version 1.19.10 is vulnerable to open redirect. This is the result of a bypass for the fix to CVE-2022-0613.

CVE-2022-1233

Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as https://www.example.com instead. For example, the following will cause a redirect to https://www.example.com: A fix was released in version 1.19.11.

CVE-2022-1243

\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.

This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):

const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000

input = "ja\r\nvascript:alert(1)"
url = parse(input)

console.log(url)

app.get('/', (req, res) => {
 if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")}
})

app.listen(port, () => {
 console.log(`Example app listening on port ${port}`)
})

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
gitrepos	✅ Ready (Inspect)	Visit Preview	Mar 25, 2023 at 9:30AM (UTC)