Skip to content

fix(isURL): fix CVE-2025-56200 #2610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 10 commits into from
Closed

fix(isURL): fix CVE-2025-56200 #2610

wants to merge 10 commits into from
+744 −551

Conversation

@WikiRik
Copy link
Member

@WikiRik WikiRik commented Oct 15, 2025
edited
Loading

This is a fix for CVE-2025-56200. Additional test cases are partially generated by generative AI.

The rewrite was done by a different generative AI process, and needs to be properly reviewed before this PR is ready

Checklist

  • PR contains only changes related; no stray files, etc.
  • README updated (where applicable)
  • Tests written (where applicable)
  • References provided in PR (where applicable)

@WikiRik WikiRik closed this Oct 15, 2025
@WikiRik WikiRik reopened this Oct 15, 2025
@codecov
Copy link

codecov bot commented Oct 15, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 79.61165% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 99.14%. Comparing base (6f436be) to head (6e92526).

Files with missing lines Patch % Lines
src/lib/isURL.js 79.61% 12 Missing and 9 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##            master    #2610      +/-   ##
===========================================
- Coverage   100.00%   99.14%   -0.86%     
===========================================
  Files          114      114              
  Lines         2536     2583      +47     
  Branches       642      657      +15     
===========================================
+ Hits          2536     2561      +25     
- Misses           0       13      +13     
- Partials         0        9       +9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 15, 2025
View reviewed changes
src/lib/isURL.js
if (
!parsedUrl.hostname &&
hasProtocol &&
originalUrl.indexOf('://') === originalUrl.length - 3 &&

Check failure

Code scanning / CodeQL

Incorrect suffix check High

This suffix check is missing a length comparison to correctly handle indexOf returning -1.

Copilot Autofix

AI 16 days ago

To fix the problem in line 222, ensure that the result of indexOf('://') is not -1 before making a position comparison. The best practice would be:

  • Store originalUrl.indexOf('://') in a variable (e.g., protoIdx).
  • Check that protoIdx !== -1 && protoIdx === originalUrl.length - 3

This avoids the case where both sides are -1 due to missing substring, and thus avoids a false positive. Restrict the change to just the affected region around line 222.

No new methods or complex imports are needed—just a minor code change to add the variable and condition.

Suggested changeset 1
src/lib/isURL.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/lib/isURL.js b/src/lib/isURL.js
--- a/src/lib/isURL.js
+++ b/src/lib/isURL.js
@@ -216,10 +216,12 @@
 
   // Handle special case for URLs ending with just protocol:// (should always fail)
   // But allow URLs like file:/// that have paths
+  const protoIdx = originalUrl.indexOf('://');
   if (
     !parsedUrl.hostname &&
     hasProtocol &&
-    originalUrl.indexOf('://') === originalUrl.length - 3 &&
+    protoIdx !== -1 &&
+    protoIdx === originalUrl.length - 3 &&
     (!parsedUrl.pathname || parsedUrl.pathname === '/')
   ) {
     return false;
EOF
@@ -216,10 +216,12 @@

// Handle special case for URLs ending with just protocol:// (should always fail)
// But allow URLs like file:/// that have paths
const protoIdx = originalUrl.indexOf('://');
if (
!parsedUrl.hostname &&
hasProtocol &&
originalUrl.indexOf('://') === originalUrl.length - 3 &&
protoIdx !== -1 &&
protoIdx === originalUrl.length - 3 &&
(!parsedUrl.pathname || parsedUrl.pathname === '/')
) {
return false;
Copilot is powered by AI and may make mistakes. Always verify output.
@WikiRik WikiRik closed this Oct 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@WikiRik