Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL is validated as true if contains brackets or apostrophe signs #338

Closed
mquartus opened this issue Mar 20, 2024 · 2 comments · Fixed by #339
Closed

URL is validated as true if contains brackets or apostrophe signs #338

mquartus opened this issue Mar 20, 2024 · 2 comments · Fixed by #339
Labels
upstream Issue: Changes expected in upstream

Comments

@mquartus
Copy link

Hello,

I am not sure if this is the desired behaviour so I just wanted to check with you. We have had an issue that came up where we wanted to fix a valid cross-site scripting vulnerability in our web application code where the following malicious code – including apostrophe (') and a round bracket sign ( ) )– was injected:

https://example.org?q=search');alert(document.domain);

But when tried to use the validators.url() function it accepts the above as True :

>>> validators.url("https://example.org?q=search');alert(document.domain);")
True

Apparently this should not happen. The desired behaviour of the url() routine is would be False in this case. Do I overlook something or is the above accepted? Let me know if I am missing something or you need further information. My version of validators is 0.23.2 on Python 3.9.6 .

Thank you,
Miklos
@yozachar yozachar added the upstream Issue: Changes expected in upstream label Mar 21, 2024
@yozachar
Copy link
Collaborator

yozachar commented Mar 21, 2024
edited
Loading

Hey, thanks for bringing this up. Internally validators.url() uses Python's urllib.parse.parse_qs function. The behavior of parse_qs changed in Python 3.9.2. See for yourself:

Python 3.9.2 (default, Mar 21 2024, 06:39:21) 
[GCC 13.2.1 20230801] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import parse_qs
>>> parse_qs("q=search');alert(document.domain);", strict_parsing=True)
{'q': ["search');alert(document.domain);"]}
Python 3.9.1 (default, Mar 21 2024, 06:40:47)
[GCC 13.2.1 20230801] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import parse_qs
>>> parse_qs("q=search');alert(document.domain);", strict_parsing=True)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/us-er/.local/share/mise/installs/python/3.9.1/lib/python3.9/urllib/parse.py", line 692, in parse_qs
    pairs = parse_qsl(qs, keep_blank_values, strict_parsing,
  File "/home/us-er/.local/share/mise/installs/python/3.9.1/lib/python3.9/urllib/parse.py", line 747, in parse_qsl
    raise ValueError("bad query field: %r" % (name_value,))
  raise ValueError("bad query field: %r" % (name_value,))
ValueError: bad query field: 'alert(document.domain)'

If you can tell me why, I may be able to resolve it.

@yozachar yozachar mentioned this issue Mar 21, 2024
Closed
@mquartus
Copy link
Author

Ah OK thanks. Leave it then to upstream if this gets their way and they will probably fix it.

@yozachar yozachar mentioned this issue Mar 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream Issue: Changes expected in upstream
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

patch: domain & url modules yozachar/pyvalidators
2 participants
@yozachar @mquartus