react-native-url-polyfill icon indicating copy to clipboard operation
react-native-url-polyfill copied to clipboard

Published 20 hours ago • verified publisher icon charpeni

Security: Doesn't encode urls with punycode

Open samuelscheit opened this issue 3 years ago • 4 comments

Malicious actors could trick victims into click phishing links, because they look exactly like the valid original domain. E.g. the original apple.com url could be converted using the cyrillic alphabet to аррlе.com which looks identical to the original url. That's why the browser encodes urls with special characters using punycode to xn--l-7sbq6ba.com You can check it, if you enter this in the browser console:

new URL("https://аррlе.com").href

this should result in

'https://xn--l-7sbq6ba.com/'

However this react-native-url-polyfill library doesn't encode urls using punycode which results in a huge security risk for the end user.

samuelscheit avatar Feb 02 '22 17:02 samuelscheit

Thanks for bringing this concern.

I think this is still better than React Native's implementation, but still not perfect.

What would you suggest in order to address this issue while remaining lightweight? Should we try to encode them with a lightweight library? Should we throw on URLs with special characters?

charpeni avatar Feb 02 '22 17:02 charpeni

I'm not sure, but it looks like you are using whatwg-url-without-unicode and I don't know if it can encode those urls. Maybe the package whatwg-url does support it

samuelscheit avatar Feb 02 '22 17:02 samuelscheit

Yes. I'm the author of whatwg-url-without-unicode and it doesn't support unicode so we can use URL and URLSearchParams with a smaller footprint (372 KB to 40.9 KB).

charpeni avatar Feb 02 '22 17:02 charpeni

Wow thats a lot, I appreciate the effort, maybe there is a lightweight punycode lib to handle this issue.

samuelscheit avatar Feb 02 '22 17:02 samuelscheit