Incorrect conversion of @ in protocol in the href leads to improper validation of hostname.
Url-parse is not able to verify broken protocol. This will allow to bypass hostname validation.
parse = require('url-parse')
console.log(parse("http:@/127.0.0.1"))
Now imagine if there is blacklist check for domain 127.0.0.1
{
slashes: true,
protocol: 'http:',
hash: '',
query: '',
pathname: '/127.0.0.1',
auth: '',
host: '',
port: '',
hostname: '',
password: '',
username: '',
origin: 'null',
href: 'http:///127.0.0.1'
}
Here the hostname check equals null which will clearly bypass 127.0.0.1 blacklist check (interpreted as relative path instead). Now if you use href (http:///127.0.0.1) to fetch URL then it will fetch 127.0.0.1.
Bypass hostname check. It leads to an authorization bypass according to https://www.huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b/. (A similar report)
Correct the href attribute.