mirrors/axios
2
0
Fork 0
mirror of https://github.com/tenrok/axios.git synced 2026-06-20 20:00:40 +03:00
Code Activity

Fix to prevent XSS, throw an error when the URL contains a JS script (#2464)

Browse Source 
* Fixes issue where XSS scripts attacks were possible via the URL

* Fix error

* Move throwing error up

* Add specs and make regex cover more xss cases
This commit is contained in:
Yasu Flores
2019-10-16 03:53:10 -07:00
committed by Felipe Martins
parent ee60ee368e
commit 29da6b24db
4 changed files with 33 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/helpers/isURLSameOrigin.js
+4 -2
View File
@@ -22,14 +22,16 @@ module.exports = (
function resolveURL(url) { function resolveURL(url) {
var href = url; var href = url;
if (isValidXss(url)) {
throw new Error('URL contains XSS injection attempt');
}
if (msie) { if (msie) {
// IE needs attribute set twice to normalize properties // IE needs attribute set twice to normalize properties
urlParsingNode.setAttribute('href', href); urlParsingNode.setAttribute('href', href);
href = urlParsingNode.href; href = urlParsingNode.href;
} }
isValidXss(url);
urlParsingNode.setAttribute('href', href); urlParsingNode.setAttribute('href', href);
// urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
lib/helpers/isValidXss.js
+2 -2
View File
@@ -1,6 +1,6 @@
'use strict'; 'use strict';
module.exports = function isValidXss(requestURL) { module.exports = function isValidXss(requestURL) {
var regex = RegExp('<script+.*>+.*<\/script>'); var xssRegex = /(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script/gi;
return regex.test(requestURL); return xssRegex.test(requestURL);
}; };
test/specs/helpers/isURLSameOrigin.spec.js
+3 -2
View File
@@ -9,7 +9,8 @@ describe('helpers::isURLSameOrigin', function () {
expect(isURLSameOrigin('https://github.com/axios/axios')).toEqual(false); expect(isURLSameOrigin('https://github.com/axios/axios')).toEqual(false);
}); });
it('should detect xss', function () { it('should detect XSS scripts on a same origin request', function () {
expect(isURLSameOrigin('https://github.com/axios/axios?<script>alert("hello")</script>')).toEqual(false) expect(() => { isURLSameOrigin('https://github.com/axios/axios?<script>alert("hello")</script>'); })
.toThrowError(Error, 'URL contains XSS injection attempt')
}) })
}); });
test/specs/helpers/isValidXss.spec.js
+24
View File
@@ -0,0 +1,24 @@
var isValidXss = require('../../../lib/helpers/isValidXss');
describe('helpers::isValidXss', function () {
it('should detect script tags', function () {
expect(isValidXss("<script/xss>alert('blah')</script/xss>")).toBe(true);
expect(isValidXss("<SCRIPT>alert('getting your password')</SCRIPT>")).toBe(true);
expect(isValidXss("<script src='http://xssinjections.com/inject.js'>xss</script>")).toBe(true);
expect(isValidXss("<img src='/' onerror='javascript:alert('xss')'>xss</script>")).toBe(true);
expect(isValidXss("<script>console.log('XSS')</script>")).toBe(true);
expect(isValidXss("onerror=alert('XSS')")).toBe(true);
expect(isValidXss("<a onclick='alert('XSS')'>Click Me</a>")).toBe(true);
});
it('should not detect non script tags', function() {
expect(isValidXss("<safe> tags")).toBe(false);
expect(isValidXss("<safetag>")).toBe(false);
expect(isValidXss(">>> safe <<<")).toBe(false);
expect(isValidXss("<<< safe >>>")).toBe(false);
expect(isValidXss("my script rules")).toBe(false);
expect(isValidXss("<a notonlistener='nomatch'>")).toBe(false);
expect(isValidXss("<h2>MyTitle</h2>")).toBe(false);
expect(isValidXss("<img src='#'/>")).toBe(false);
})
});