You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 5, 2018. It is now read-only.
In https://github.com/dscape/nano/blob/master/lib/nano.js#L64, (.*)@ is being used instead of the non-greedy (.*?)@ or ([^@]*)@ – this matches up until the last occurrence of @, rather than the first. If the URL's path component contains a bare @, the entire hostname and a portion of the path could be stripped. For example, scrub('https://foo:bar@host/foo/bar/@quux') will yield "https://XXXXXX:XXXXXX@quux" instead of "https://XXXXXX:XXXXXX@host/foo/bar/@quux".
I can't see any way to exploit this beyond potentially hiding URL contents in logs, but admittedly haven't investigated closely.
The text was updated successfully, but these errors were encountered:
In https://github.com/dscape/nano/blob/master/lib/nano.js#L64,
(.*)@
is being used instead of the non-greedy(.*?)@
or([^@]*)@
– this matches up until the last occurrence of@
, rather than the first. If the URL's path component contains a bare@
, the entire hostname and a portion of the path could be stripped. For example,scrub('https://foo:bar@host/foo/bar/@quux')
will yield"https://XXXXXX:XXXXXX@quux"
instead of"https://XXXXXX:XXXXXX@host/foo/bar/@quux"
.I can't see any way to exploit this beyond potentially hiding URL contents in logs, but admittedly haven't investigated closely.
The text was updated successfully, but these errors were encountered: