Headline
CVE-2023-2307: fix: relative protocol urls · BuilderIO/qwik@09190b7
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
@@ -0,0 +1,37 @@
import { test } from 'uvu’;
import { equal } from 'uvu/assert’;
import { normalizeUrl } from './http’;
[
{
url: '/’,
base: 'https://qwik.dev’,
expect: 'https://qwik.dev/’,
},
{
url: '/attacker.com’,
base: 'https://qwik.dev’,
expect: 'https://qwik.dev/attacker.com’,
},
{
url: '//attacker.com’,
base: 'https://qwik.dev’,
expect: 'https://qwik.dev/attacker.com’,
},
{
url: '\\\\attacker.com’,
base: 'https://qwik.dev’,
expect: 'https://qwik.dev/attacker.com’,
},
{
url: '/some-path//attacker.com’,
base: 'https://qwik.dev’,
expect: 'https://qwik.dev/some-path/attacker.com’,
},
].forEach((t) => {
test(`normalizeUrl(${t.url}, ${t.base})`, () => {
equal(normalizeUrl(t.url, t.base).href, t.expect);
});
});
test.run();
Related news
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.