Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor security against dangerous URL #202

Closed
blackfalcon opened this issue Mar 13, 2024 · 0 comments · Fixed by #203
Closed

Refactor security against dangerous URL #202

blackfalcon opened this issue Mar 13, 2024 · 0 comments · Fixed by #203
Assignees
@blackfalcon
Labels
auro-hyperlink Type: Feature New Feature

Comments

@blackfalcon
Copy link
Member

General Support Request

Refactor the code to be more security robust.

auro-hyperlink/src/component-base.mjs

Lines 90 to 123 in dff0c54

safeUrl(href, relative) {
if (href !== undefined) {
const url = new URL(href, 'https://www.alaskaair.com');
switch (url.protocol) {
case 'javascript:': // eslint-disable-line
return '';
case 'tel:':
return href;
case 'sms:':
return href;
case 'mailto:':
return href;
default:
if (!relative) {
url.protocol = 'https:';
return url.href;
} else if (relative) {
return href;
}
}
} else if (href === undefined) {
return undefined;
}
return undefined;
}

Possible Solution

Remove unwanted references and be specific about types that are secure and supported. The updated code should still disallow any HREFs that are JavaScript as well ignore data: type URLs and anything else that is not explicitly supported.

Additional context

Code was reviewed in a security training session and it was pointed out that there were subtle flaws regarding allowing JavaScript to be recognized as a type and then having to return an empty string. The suggestion was to simply not even list options are not allowed, but to only allow options that are considered safe.

It was pointed out that we were not accounting for the href data: type.

Exit criteria

This issue can be closed once the updates made improve on the previous security model, maintain the exclusion of JavaScript protocol and will also account the long list of other protocols that are unsupported.
@blackfalcon blackfalcon added Type: Feature New Feature auro-hyperlink not-reviewed Issue has not been reviewed by Auro team members labels Mar 13, 2024
blackfalcon added a commit that referenced this issue Mar 13, 2024
@blackfalcon
perf: update function #202
8c4f990 
This function was updated post security review in training with @jmanico

The goal of this refactor is to be exclusionary by default as well
tighten up the code ergonomics.

Changes to be committed:
modified:   src/component-base.mjs
blackfalcon added a commit that referenced this issue Mar 14, 2024
@blackfalcon
chore: merge with perf: update function #202
171522b
blackfalcon added a commit that referenced this issue Mar 14, 2024
@blackfalcon
perf: update function #202
63564e1 
This function was updated post security review in training with @jmanico

The goal of this refactor is to be exclusionary by default as well
tighten up the code ergonomics.

Additional updates include refactoring JSDoc annotations.

Changes to be committed:
modified:   src/component-base.mjs
@blackfalcon blackfalcon mentioned this issue Mar 14, 2024
Merged
6 tasks
@blackfalcon blackfalcon linked a pull request Mar 14, 2024 that will close this issue
safeUrl() Security refactor #203
Merged
6 tasks
@Patrick-Daly-AA Patrick-Daly-AA removed the not-reviewed Issue has not been reviewed by Auro team members label Mar 15, 2024
blackfalcon added a commit that referenced this issue Apr 19, 2024
@blackfalcon
perf: update function #202
1297c43 
This function was updated post security review in training with @jmanico

The goal of this refactor is to be exclusionary by default as well
tighten up the code ergonomics.

Additional updates include refactoring JSDoc annotations.

Changes to be committed:
modified:   src/component-base.mjs
blackfalcon added a commit that referenced this issue Apr 25, 2024
@blackfalcon
perf: update function #202
ae04590 
This function was updated post security review in training with @jmanico

The goal of this refactor is to be exclusionary by default as well
tighten up the code ergonomics.

Additional updates include refactoring JSDoc annotations.

Changes to be committed:
modified:   src/component-base.mjs
blackfalcon added a commit that referenced this issue Apr 29, 2024
@blackfalcon
perf: update function #202
b082269 
This function was updated post security review in training with @jmanico

The goal of this refactor is to be exclusionary by default as well
tighten up the code ergonomics.

Additional updates include refactoring JSDoc annotations.

Changes to be committed:
modified:   src/component-base.mjs
blackfalcon pushed a commit that referenced this issue Apr 29, 2024
@semantic-release-bot
chore(release): 3.5.11 [skip ci]
6f5c29f 
## [3.5.11](v3.5.10...v3.5.11) (2024-04-29)

### Performance Improvements

* update function [#202](#202) ([b082269](b082269))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blackfalcon blackfalcon

Labels
auro-hyperlink Type: Feature New Feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

safeUrl() Security refactor AlaskaAirlines/auro-hyperlink
4 participants
@blackfalcon @jason-capsule42 @jordanjones243 @Patrick-Daly-AA