fix(isURL): improve protocol detection. Resolves CVE-2025-56200 #2608
Conversation
|
Thanks for working on this! I was also looking into this, and I came up with this set of invalid URLs that we probably should test for with the default settings. (Disclaimer; these were partially generated by AI.) Could you add these (or a variation of these) to this PR? |
|
@WikiRik from what I can see the following are marked as valid: I do not know if it's correct or not |
|
Thanks for checking that! Why is To get your CI passing; you can remove Node 6 from the versions we test on, as I did in #2609 |
|
The flow of the current for
Not sure what is the best way to fix this. |
|
Let's skip that one as well for now. Running the original CVE in a browser console gives me the alert and this one doesn't. We don't do XSS sanitization in this library, so that shouldn't be a big issue |
theofidry
force-pushed
the
hotfix/cve-isurl
branch
from
7606bdf to
3706996
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2608 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 114 114
Lines 2536 2562 +26
Branches 642 649 +7
=========================================
+ Hits 2536 2562 +26 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@WikiRik updated. Also worth mentioning it is only a risk when the protocol is not required, as if it is then it is checked against the allowed protocols. So may be worth adding a strong recommendation in the docs or making the protocol required the default |
|
Yes, we will make the protocol required by default but that will be a breaking change so we do that in the next major release. A strong recommendation might be good. Is that something you can add to the README? |
|
Hey @theofidry @WikiRik , any ETA on when its going to be merged & released? |
|
@theofidry codecov is complaining about some missing and partially covered lines. Can you check if those branches should be touched, and do one of the following;
I hope to be able to review this PR properly this weekend, suggestions from the community are appreciated on this |
scottgigante-hubflow
left a comment
scottgigante-hubflow
left a comment
There was a problem hiding this comment.
Some suggested test cases that might help with coverage
|
I can't check it out locally atm, but if you do a PR against my changes I can merge it |
|
any ETA on when its going to be merged & released? |
|
What else is this PR missing? |
|
Does this PR need a bit more test coverage to pass? |
|
There is still 1 line partially covered, and I haven't had the time to properly review the proposed changes |
|
@theofidry Here's a PR to handle the partially covered line |
|
Thank you everyone for your work on getting this ready, I have been following the progress here since the vulnerability was found. Do we know how long this will now take to be released as this transient dependency is blocking a number of work items on our (admittedly rigid) pipeline. |
WikiRik
left a comment
WikiRik
left a comment
There was a problem hiding this comment.
Two suggestions, apart from that I think this is fine to merge. After release we can look into incorporating the native URL interface, but that's more work than needs to be done to fix this CVE
WikiRik
changed the title
|
I'll prepare a release later today that includes this fix |
|
@WikiRik any update on this? I see it was merged into the release branch but not yet approved by @profnandaa. |
Sorry, this is implicitly approved, since we were on some email discussions about it. |
|
@WikiRik @profnandaa Is there an ETA for distribution of this security fix? |
|
Hi all i sent the PR to mark the 13.15.20 as patched: github/advisory-database#6355 to update the GH advisory database |
|
Hi, could this security fix backport to v13.12.x? |
Any reasons you have locked on v13.12.x, where there any breaking changes after? /cc. @WikiRik |
|
#2421 This is the breaking change. @profnandaa I know I could use loose mode to handle it but class-validator has not exposed the option yet. |
|
@typenoob I still need to reply in depth to the issue that was created, but in short; it was not the best idea to publish that change in 13.x.x. I didn't know that you weren't able to use the loose mode in class-validator. I'll see if we want to make the loose mode the default setting so that people can update. Security wise; if you require protocols and make them mandatory (possibly with preprocessing to add "https://" in the application if the user did not provide it), you are safe from this vulnerability. |
1 similar comment
|
@typenoob I still need to reply in depth to the issue that was created, but in short; it was not the best idea to publish that change in 13.x.x. I didn't know that you weren't able to use the loose mode in class-validator. I'll see if we want to make the loose mode the default setting so that people can update. Security wise; if you require protocols and make them mandatory (possibly with preprocessing to add "https://" in the application if the user did not provide it), you are safe from this vulnerability. |
17 participants
This PR is a fix for GHSA-9965-vmph-33xx.
Cherry-picked the change from #2603 but a test first to capture the vulnerability was created first. It also modifies the original patch as it was making any URL with authentication information no longer valid.
Closes #2603 and #2600.