urlpattern-polyfill icon indicating copy to clipboard operation
urlpattern-polyfill copied to clipboard
verified publisher icon kenchris

bug: `pathname` is jailbreakable

Open aui opened this issue 2 years ago • 1 comments

Thank you very much for this library, it makes my router program elegant!

I've discovered that URLPattern doesn't work according to web standards when the pathname contains the leading // character.

Test Cases:

var router = new URLPattern({ "hostname": "example.com", "pathname": "*" });
console.log(router.test({ "hostname": "example.com", "pathname": "//foo.com" }));

Expected:

true

Actual:

false

I guess this error is caused by the internal use of the URL API without validating the input:

const input = '//foo.com';
const baseURL = 'https://example.com';
const url = new URL(input, baseURL);
console.log(url.href);

The above result will be https://foo.com/.

aui avatar Jan 25 '24 02:01 aui

hi, maybe I didn't describe the problem clearly at first, I have edited it now.

I realized that this problem may be more serious than expected, because hackers can bypass the domain name check by constructing a pathname like https://example.com//yyy.com.

Thanks again for your work.

aui avatar Apr 26 '25 12:04 aui