1f4aed2865
* Move metadata to root * Define S6105 for JS/TS * Move message.adoc * Fix incorrect autolink * Fix standards header * Add "noncompliant" to code sample * Change header styling * Apply suggestions from code review Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com> * Update rules/S6105/common/fix/how-does-this-work.adoc Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com> * Update rules/S6105/common/pitfalls/starts-with.adoc Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com> * Remove reference to javascript pseudo-protocol * Update rules/S6105/common/fix/how-does-this-work.adoc Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com> * Rewrite startsWith text * Change framework name Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com>
10 lines
890 B
Plaintext
10 lines
890 B
Plaintext
==== The trap of ``String.startsWith`` and equivalents
|
|
|
|
When validating untrusted URLs by checking if they start with a trusted scheme and authority pair `scheme://authority`, **ensure that the validation string contains a path separator character (i.e., a `/`) as the last character**.
|
|
|
|
When this character is not present, attackers may be able to register a specific domain name that both passes validation and is controlled by them.
|
|
|
|
For example, when validating the `\https://example.com` domain, suppose an attacker owns the `\https://example.evil` domain. If the prefix-based validation is implemented incorrectly, they could create a `\https://example.com.example.evil` subdomain to abuse the broken validation.
|
|
|
|
The practice of taking over domains that maliciously look like existing domains is widespread and is called https://en.wikipedia.org/wiki/Cybersquatting[cybersquatting].
|