ads-ui icon indicating copy to clipboard operation
ads-ui copied to clipboard
verified publisher icon brave

Allow only URLs with `https` protocol during campaign creation

Open thypon opened this issue 3 years ago • 3 comments

Description

When creating a new campaign, an attacker may use arbitrary protocols to inject javascript or OS command link vectors.

Reproduction Steps

screenshot_2022-04-25_at_16 56 58

Proposed fix

Disallow any URL not employing https scheme.

Cc @tackley

thypon avatar Apr 25 '22 15:04 thypon

@tackley this seems like an important security feature, could you take a look?

diracdeltas avatar May 17 '22 20:05 diracdeltas

This issue is stale because it has been open for over a year with no activity. Remove stale label or add a comment to avoid this being closed in a weeks time.

github-actions[bot] avatar Nov 25 '23 03:11 github-actions[bot]

This issue was closed because it has been inactive for a week since being marked as stale.

github-actions[bot] avatar Dec 03 '23 03:12 github-actions[bot]

This should be fixed as of: https://github.com/brave/ads-serve/pull/2901

IanKrieger avatar Oct 11 '24 20:10 IanKrieger