All url-parse versions

[email protected] rejected Risk: 70 MIT

url-parse @1.5.3

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
70
Risk Score
MIT
License
No
Install Scripts
2
Dependencies
8
Dev Dependencies
15.7 KB
Package Size
Published

Small footprint URL parser that works seamlessly across Node.js and browser environments

Maintainers

unshiftioswaagiev13rdeden

Keywords

URLparseruriurlparsequerystringquerystringstringify

Dependencies (2)

PackageConstraintRegistry Status
requires-port ^1.0.0 auto_approved
querystringify ^2.1.1 auto_approved

Dev Dependencies (8)

PackageConstraintRegistry Status
c8 ^7.3.1 auto_approved
mocha ^8.0.1 auto_approved
assume ^2.2.0 Not imported
uglify-js ^3.5.7 auto_approved
browserify ^17.0.0 auto_approved
pre-commit ^1.2.2 auto_approved
sauce-test ^1.3.3 Not imported
sauce-browsers ^2.0.0 Not imported

Transitive Dependency Tree

2 transitive deps max depth 1
  ├─ querystringify ^2.1.1 → 2.2.0
  ├─ requires-port ^1.0.0 → 1.0.0

SAST Findings (5)

CRITICAL GHSA-hgjh-723h-mx2j: Authorization Bypass Through User-Controlled Key in url-parse osv

CVSS 9.1 (CRITICAL) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N url-parse prior to version 1.5.8 is vulnerable to Authorization Bypass Through User-Controlled Key.

MEDIUM GHSA-8v38-pw62-9cw2: url-parse Incorrectly parses URLs that include an '@' osv

CVSS 6.5 (MEDIUM) — CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular, ```js parse(\"http://@/127.0.0.1\") ``` Will return: ```yaml { slashes: true, protocol: 'http:', hash: '', query: '', pathname: '/127.0.0.1', auth: '', host: '', port: '', hostname: '', password: '', username: '', origin: 'null', href: 'http:///127.0.0.1' } ``` If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.

MEDIUM GHSA-jf5r-8hm2-f872: url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. osv

CVSS 6.5 (MEDIUM) — CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect. This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000 url = parse(\"\\bjavascript:alert(1)\") console.log(url) app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) }) ```

MEDIUM GHSA-rqff-837h-mm52: Authorization bypass in url-parse osv

CVSS 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 70. Findings: 1 critical (+40), 3 medium (+30), 1 info (+0).

Commit: ad444931666a Browse source

Published to npm: