Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow only URLs with https protocol during campaign creation #607

Open
thypon opened this issue Apr 25, 2022 · 3 comments
Open

Allow only URLs with https protocol during campaign creation #607

thypon opened this issue Apr 25, 2022 · 3 comments
Assignees
@tackley
Labels
security

Comments

@thypon
Copy link
Member

thypon commented Apr 25, 2022

Description

When creating a new campaign, an attacker may use arbitrary protocols to inject javascript or OS command link vectors.

Reproduction Steps

screenshot_2022-04-25_at_16 56 58

Proposed fix

Disallow any URL not employing https scheme.

Cc @tackley
@tackley tackley self-assigned this Apr 25, 2022
@diracdeltas
Copy link
Member

@tackley this seems like an important security feature, could you take a look?

tackley added a commit that referenced this issue May 18, 2022
@tackley
Allow only URLs with https protocol during campaign creation
c175d9a 
Fixes #607
@tackley tackley mentioned this issue May 18, 2022
Merged
tackley added a commit that referenced this issue May 23, 2022
@tackley
Allow only URLs with https protocol during campaign creation (#612)
4a27061 
Re #607
This was referenced May 23, 2022
Closed
Merged
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for over a year with no activity. Remove stale label or add a comment to avoid this being closed in a weeks time.

@github-actions github-actions bot added the stale pending closure due to inactivity label Nov 25, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 3, 2023

This issue was closed because it has been inactive for a week since being marked as stale.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 3, 2023
@thypon thypon reopened this Dec 3, 2023
@github-actions github-actions bot removed the stale pending closure due to inactivity label Dec 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tackley tackley

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tackley @diracdeltas @thypon