react-linkify
react-linkify copied to clipboard
Homograph attack (Security)
Issue
This lib, even the Github viewer itself, is vulnerable to a homograph attack - meaning that we can leverage a seemingly innocent link e.g. http://ebаy.com
to redirect users to actually http://xn--eby-7cd.com
Imagine if a user posts a link like this into a forum and has other susceptible users click on it.
Homograph normalized: http://ebаy.com (hover over the URL to see the browser decode the URL)
Actual equivalent IDN (punycode): http://xn--eby-7cd.com
Further reading
https://en.wikipedia.org/wiki/IDN_homograph_attack
Potential remediation
https://en.wikipedia.org/wiki/IDN_homograph_attack#Defending_against_the_attack
We can leverage punycode (https://en.wikipedia.org/wiki/Punycode) to display the URL instead of the normalized URL. This could be a configurable option for the lib so the user of the lib can choose their risk profile. But I would recommend setting the use of punycode to true by default so we can avoid the security issue as described.
https://www.npmjs.com/package/punycode is a popular lib for JS.
Originally reported by @Mik317 to our security program
Hi :),
I know some platforms doesn't care about this risk because they have further checks on external redirections (Github it-self adds this issue as out of scope
), like redirection banner
and similar, but this issue is mostly fixed and accepted as valid, due to the fact it's possible to fight them via a secure implementation, and not via any browser defense.
In my bug hunter's experience, I got always fixed this type of issue (also other researchers... https://hackerone.com/hacktivity?order_direction=DESC&order_field=popular&filter=type%3Apublic&querystring=homograph sees mostly this issue fixed), so I suggest you to do the same, as it's a bad behavior that can be avoided without lots of changes :) Let me know if you need any help in fix retest and I'll be happy to help you :)
Best, Mik
I believe the manual workaround is
import punycode from "punycode";
...
const componentDecorator = (href, text, key) => (
<a href={href} key={key} target="_blank" rel="noopener">
{punycode.toASCII(text)}
</a>
);
...
<Linkify componentDecorator={componentDecorator}>
...
</Linkify>