rspec/rules/S6105/common/pitfalls/starts-with.adoc

==== The trap of ``String.startsWith`` and equivalents

When validating untrusted URLs by checking if they start with a trusted scheme and authority pair `scheme://authority`, **ensure that the validation string contains a path separator character (i.e., a `/`) as the last character**.

When this character is not present, attackers may be able to register a specific domain name that both passes validation and is controlled by them.

For example, when validating the `\https://example.com` domain, suppose an attacker owns the `\https://example.evil` domain. If the prefix-based validation is implemented incorrectly, they could create a `\https://example.com.example.evil` subdomain to abuse the broken validation.

The practice of taking over domains that maliciously look like existing domains is widespread and is called https://en.wikipedia.org/wiki/Cybersquatting[cybersquatting].
Modify S6105: Move to progressive education format (APPSEC-422) (#1519) * Move metadata to root * Define S6105 for JS/TS * Move message.adoc * Fix incorrect autolink * Fix standards header * Add "noncompliant" to code sample * Change header styling * Apply suggestions from code review Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com> * Update rules/S6105/common/fix/how-does-this-work.adoc Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com> * Update rules/S6105/common/pitfalls/starts-with.adoc Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com> * Remove reference to javascript pseudo-protocol * Update rules/S6105/common/fix/how-does-this-work.adoc Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com> * Rewrite startsWith text * Change framework name Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com> 2023-01-27 10:31:23 +01:00			==== The trap of ``String.startsWith`` and equivalents

			When validating untrusted URLs by checking if they start with a trusted scheme and authority pair `scheme://authority`, ensure that the validation string contains a path separator character (i.e., a `/`) as the last character.

			`When this character is not present, attackers may be able to register a specific domain name that both passes validation and is controlled by them.`

			For example, when validating the `\https://example.com` domain, suppose an attacker owns the `\https://example.evil` domain. If the prefix-based validation is implemented incorrectly, they could create a `\https://example.com.example.evil` subdomain to abuse the broken validation.

			`The practice of taking over domains that maliciously look like existing domains is widespread and is called https://en.wikipedia.org/wiki/Cybersquatting[cybersquatting].`