fix(auth): sanitize authorization URL #687
Conversation
There was a problem hiding this comment.
Hi @superboy-zjc , thanks for the PR. Do we need to use this exact library for this, or is there an alternative that is maintained by more than 1 person?
Or perhaps the sanitize functionality can just be inlined to eliminate dependency altogether. |
Yeah I think we can inline the protocol check here to only allow http and https protocol and don't have to handle url encoding things. |
Thanks @superboy-zjc If you can make that change, I'll approve and merge it and it will go into a new release shortly. |
I will do it shortly👍 |
|
Hi there @cliffhall @olaservo I updated a clean patch for this. |
|
Mind requesting a CVE for this?😊 @cliffhall |
Head branch was pushed to by a user without write access
|
I fixed the style error and make sure it passes all the ci workflow |
|
Hi @cliffhall @olaservo May I ask for the help for the CVE ID assignment on this report? I am a security researcher and need a CVE ID to get credit from the report. I've submitted the report to HackerOne before help patching this but no one triaged it. Could anyone guide me proceeding with this or help ping the security team? Thanks |
We're in progress on that. @jenn-newton at Anthropic is working on a PR because she wants a reusable address validator. She will be handling getting the CVE. Don't worry, it is being handled, but I think has just gone on Jenn is on holiday though, so it might be a week or so. She has your document outlining the problem that was fixed. |
I appreciate your help! |
fix the critical RCE issue. See report