Skip to content

Commit

Permalink
[security] Added missing SECURITY.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@3rd-Eden
3rd-Eden committed Jul 29, 2018
1 parent 53b1794 commit d7b582e
Showing 1 changed file with 47 additions and 0 deletions.
47 changes: 47 additions & 0 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Security Guidelines

Please contact us directly at **[email protected]** for any bug that might
impact the security of this project. Please prefix the subject of your email
with `[security]` in lowercase and square brackets. Our email filters will
automatically prevent these messages from being moved to our spam box. All
emails that do not include security vulnerabilities will be removed and blocked
instantly.

In addition to a dedicated email address to receive security related reports,
we also have a [Hacker1 account][hacker1] that can be used be used for
communicating security related issues.

You will receive an acknowledgement of your report within **24 hours** of
notification.

## Exceptions

If you do not receive an acknowledgement within the said time frame please give
us the benefit of the doubt as it's possible that we haven't seen it yet. In
this case please send us a message **without details** using one of the
following methods:

- Give a poke on Twitter [@3rdEden](https://twitter.com/3rdEden)
- Contact the lead developers of this project on their personal e-mails. You
can find the e-mails in the git logs, for example using the following command:
`git --no-pager show -s --format='%an <%ae>' <gitsha>` where `<gitsha>` is the
SHA1 of their latest commit in the project.

Once we have acknowledged receipt of your report and confirmed the bug
ourselves we will work with you to fix the vulnerability and publicly
acknowledge your responsible disclosure, if you wish.

## History

> url-parse returns wrong hostname which leads to multiple vulnerabilities such
> as SSRF, Open Redirect, Bypass Authentication Protocol.

This comment has been minimized.

Sign in to view

Copy link
@lpinca

lpinca Jul 29, 2018

Member

The open redirect vulnerability is not fixed.

This comment has been minimized.

Sign in to view

Copy link
@3rd-Eden

3rd-Eden Jul 29, 2018

Author Member

Right, I just copy and pasted this from the reported issue. I can change it, and add a security section to the README and warn people to not bluntly accept user-input as valid URL's.

This comment has been minimized.

Sign in to view

Copy link
@lirantal

lirantal Jul 30, 2018

@3rd-Eden that's really awesome that you're adding this!
We have a template over at the security-wg repo (https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md) that I'd be happy to work with you on to improve with references to what you've also added here.

You may also add a security badge to raise awareness:
Security Responsible Disclosure

This comment has been minimized.

Sign in to view

Copy link
@SegfaultMasters

SegfaultMasters Sep 3, 2018

Though it replaced double slash, one can still perform open-redirect using encoded format "%5c%5c"
Here's the testcase

'use strict';
var URL = require('url-parse');
var url = new URL('http://google.com:80%5c%5cyahoo.com//#what\\is going on');
console.log(url.hostname);

This comment has been minimized.

Sign in to view

Copy link
@lirantal

lirantal Sep 5, 2018

@SegfaultMasters would you be able to submit a vuln repot on the HackerOne platform with the details?
- Hacker1 report: https://hackerone.com/reports/384029
- Reported by [lolwaleet](https://hackerone.com/lolwalee)
- Triaged by [Liran Tal](https://hackerone.com/lirantal)
- Fixed in: 1.4.3

---

[twitter]: https://twitter.com/3rdEden
[hacker1]: https://hackerone.com/3rdeden

0 comments on commit d7b582e

Please sign in to comment.