Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete url substring sanitization in wasm compiler #5737

Closed
vezenovm opened this issue Aug 16, 2024 · 1 comment · Fixed by #5776
Closed

Incomplete url substring sanitization in wasm compiler #5737

vezenovm opened this issue Aug 16, 2024 · 1 comment · Fixed by #5776
Assignees
@michaeljklein
Labels
bug Something isn't working security

Comments

@vezenovm
Copy link
Contributor

Aim

Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections.

https://github.com/AztecProtocol/aztec-packages/security/code-scanning/7

Expected Behavior

Only github should be an allowed host

Bug

Someone could provide a malicious URL

To Reproduce

https://github.com/AztecProtocol/aztec-packages/security/code-scanning/7

Workaround

None

Workaround Description

No response

Additional Context

No response

Project Impact

None

Blocker Context

No response

Nargo Version

No response

NoirJS Version

No response

Proving Backend Tooling & Version

No response

Would you like to submit a PR for this Issue?

None

Support Needs

No response
@vezenovm vezenovm added bug Something isn't working security labels Aug 16, 2024
@github-project-automation github-project-automation bot moved this to 📋 Backlog in Noir Aug 16, 2024
@TomAFrench
Copy link
Member

@michaeljklein can you handle this when you're back on Monday? Should be really quick.

@michaeljklein michaeljklein mentioned this issue Aug 20, 2024
Merged
5 tasks
github-merge-queue bot pushed a commit that referenced this issue Aug 21, 2024
@michaeljklein
chore: sanitize url's to only allow github (#5776)
50a6b90 
# Description

## Problem\*

Resolves #5737

## Summary\*



## Additional Context



## Documentation\*

Check one:
- [x] No documentation needed.
- [ ] Documentation included in this PR.
- [ ] **[For Experimental Features]** Documentation to be submitted in a
separate PR.

# PR Checklist\*

- [x] I have tested the changes locally.
- [x] I have formatted the changes with [Prettier](https://prettier.io/)
and/or `cargo fmt` on default settings.
@github-project-automation github-project-automation bot moved this from 📋 Backlog to ✅ Done in Noir Aug 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaeljklein michaeljklein

Labels
bug Something isn't working security
Projects
Noir
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: sanitize url's to only allow github noir-lang/noir
3 participants
@michaeljklein @TomAFrench @vezenovm