Update dependency urijs to 1.19.11 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Change
urijs	1.19.7 -> 1.19.11

GitHub Vulnerability Alerts

CVE-2022-0613

Attacker can use case-insensitive protocol schemes like HTTP, htTP, HTtp etc. in order to bypass the patch for CVE-2021-3647.

CVE-2022-24723

Impact

Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail.

Patches

Patched in 1.19.9

Workarounds

Remove leading whitespace from values before passing them to URI.parse (e.g. via .href(value) or new URI(value)), e.g. by using

function remove_whitespace(url){
     const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
     url = url.replace(whitespace, '')
     return url
}

References

• https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/

For more information

If you have any questions or comments about this advisory:

• Open an issue in medialize/URI.js

CVE-2022-0868

urijs prior to version 1.19.10 is vulnerable to open redirect. This is the result of a bypass for the fix to CVE-2022-0613.

CVE-2022-1233

Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as http://www.example.com instead. For example, the following will cause a redirect to http://www.example.com: A fix was released in version 1.19.11.

CVE-2022-1243

\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.

This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):

const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000

input = "ja\r\nvascript:alert(1)"
url = parse(input)

console.log(url)

app.get('/', (req, res) => {
 if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")}
})

app.listen(port, () => {
 console.log(`Example app listening on port ${port}`)
})

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

Visit the preview URL for this PR (updated for commit 6a62b1c):

https://whack-a-mole-motion--pr13-renovate-npm-urijs-v-e7yq1fte.web.app

_{(expires Wed, 18 May 2022 12:41:46 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.