- From: stefanbeigel <notifications@github.com>
- Date: Fri, 22 Dec 2023 06:06:07 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/810@github.com>
### What is the issue with the URL Standard? Hi, I would like to share with you a common scenario: 1. A request is recevied via NodeJs Express or Fastify server 2. Request is forwarded to another service using an http client that uses the URL class to build the target URL using the service hostname + the incoming request.pathname This scenario can lead to path traversal vulnerabilities as Express and Fastify do not evaluate `../` and `./` but the whatwg URL does. So the route checks of express / fastify match another path. This situation is not good at all, because the developer need to know about the different parsing / evaluation logic. **Example** I have prepared a sample application with fastify. https://github.com/stefanbeigel/whatwg-fastify-path-traversal/blob/main/index.mjs Call the app with curl --path-as-is localhost:3000/abc/../foobar **Possible solutions** 1. Http server libraries parses the URL with the whatwg URL standard 2. Whatwg URL drops the path shortening or gives an option to disable it As this behavior was introduced by the URL class I created this issue, even you can argue that this is a problem of fastify / express / nodejs. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/810 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/810@github.com>
Received on Friday, 22 December 2023 14:06:13 UTC