NotificationsYou must be signed in to change notification settings
Fork9.2k
Star65.8k

Commitc510070

authored

fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris

1 parent4b0501c commitc510070Copy full SHA for c510070

File tree

5 files changed

+46

-3

lines changed

.changeset
- green-turtles-change.md
lib/schemes
- HttpUriPlugin.js
test/configCases/asset-modules/http-url

5 files changed

+46

-3

lines changed

`‎.changeset/green-turtles-change.md‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+---`
	`2`	`+"webpack":patch`
	`3`	`+---`
	`4`	`+`
	`5`	`+Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.`

`‎lib/schemes/HttpUriPlugin.js‎`

Lines changed: 19 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -953,12 +953,28 @@ class HttpUriPlugin {`
`953`	`953`	`*@returns {boolean} true when allowed, otherwise false`
`954`	`954`	`*/`
`955`	`955`	`constisAllowed=(uri)=>{`
	`956`	`+letparsedUri;`
	`957`	`+try{`
	`958`	`+// Parse the URI to prevent userinfo bypass attacks`
	`959`	`+// (e.g., http://allowed@malicious/path where @malicious is the actual host)`
	`960`	`+parsedUri=newURL(uri);`
	`961`	`+}catch(_err){`
	`962`	`+returnfalse;`
	`963`	`+}`
`956`	`964`	`for(constallowedofallowedUris){`
`957`	`965`	`if(typeofallowed==="string"){`
`958`		`-if(uri.startsWith(allowed))returntrue;`
	`966`	`+letparsedAllowed;`
	`967`	`+try{`
	`968`	`+parsedAllowed=newURL(allowed);`
	`969`	`+}catch(_err){`
	`970`	`+continue;`
	`971`	`+}`
	`972`	`+if(parsedUri.href.startsWith(parsedAllowed.href)){`
	`973`	`+returntrue;`
	`974`	`+}`
`959`	`975`	`}elseif(typeofallowed==="function"){`
`960`		`-if(allowed(uri))returntrue;`
`961`		`-}elseif(allowed.test(uri)){`
	`976`	`+if(allowed(parsedUri.href))returntrue;`
	`977`	`+}elseif(allowed.test(parsedUri.href)){`
`962`	`978`	`returntrue;`
`963`	`979`	`}`
`964`	`980`	`}`

`‎test/configCases/asset-modules/http-url/errors.js‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,5 +16,8 @@ module.exports = [`
`16`	`16`	`],`
`17`	`17`	`[`
`18`	`18`	`/http:\/\/localhost:9990\/redirecthasanoutdatedlockfileentry,butlockfileisfrozen/`
	`19`	`+],`
	`20`	`+[`
	`21`	`+/Modulenotfound:Error:http:\/\/localhost:9990@127\.0\.0\.1:9100\/secret\.jsdoesn'tmatchtheallowedUrispolicy/`
`19`	`22`	`]`
`20`	`23`	`];`

`‎test/configCases/asset-modules/http-url/index.security.js‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,6 @@`
	`1`	`+"use strict";`
	`2`	`+`
	`3`	`+it("should reject URLs with userinfo that bypass allowedUris",()=>{`
	`4`	`+expect(()=>require("http://localhost:9990@127.0.0.1:9100/secret.js")).toThrow();`
	`5`	`+});`
	`6`	`+`

`‎test/configCases/asset-modules/http-url/webpack.config.js‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -102,5 +102,18 @@ module.exports = [`
`102`	`102`	`frozen:true`
`103`	`103`	`})`
`104`	`104`	`]`
	`105`	`+},`
	`106`	`+{`
	`107`	`+name:"security-userinfo-bypass",`
	`108`	`+...base,`
	`109`	`+entry:"./index.security.js",`
	`110`	`+plugins:[`
	`111`	`+serverPlugin,`
	`112`	`+newHttpUriPlugin({`
	`113`	`+allowedUris,`
	`114`	`+upgrade:false,`
	`115`	`+frozen:false`
	`116`	`+})`
	`117`	`+]`
`105`	`118`	`}`
`106`	`119`	`];`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitc510070

File tree

5 files changed

5 files changed

`‎.changeset/green-turtles-change.md‎`

`‎lib/schemes/HttpUriPlugin.js‎`

`‎test/configCases/asset-modules/http-url/errors.js‎`

`‎test/configCases/asset-modules/http-url/index.security.js‎`

`‎test/configCases/asset-modules/http-url/webpack.config.js‎`

0 commit comments