Incomplete URL scheme check¶
ID: go/incomplete-url-scheme-check
Kind: problem
Security severity: 7.8
Severity: warning
Precision: high
Tags:
- security
- correctness
- external/cwe/cwe-020
Query suites:
- go-code-scanning.qls
- go-security-extended.qls
- go-security-and-quality.qls
Click to see the query in the CodeQL repository
URLs with the special scheme javascript can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the javascript scheme.
However, the data and vbscript schemes can be used to represent executable code in a very similar way, so any validation logic that checks against javascript, but not against data and vbscript, is likely to be insufficient.
Recommendation¶
Add checks covering both data: and vbscript:.
Example¶
The following function validates a (presumably untrusted) URL urlstr. If its scheme is javascript, the harmless placeholder URL about:blank is returned to prevent code injection; otherwise urlstr itself is returned.
package main
import "net/url"
func sanitizeUrl(urlstr string) string {
u, err := url.Parse(urlstr)
if err != nil || u.Scheme == "javascript" {
return "about:blank"
}
return urlstr
}
While this check provides partial projection, it should be extended to cover data and vbscript as well:
package main
import "net/url"
func sanitizeUrlGod(urlstr string) string {
u, err := url.Parse(urlstr)
if err != nil || u.Scheme == "javascript" || u.Scheme == "data" || u.Scheme == "vbscript" {
return "about:blank"
}
return urlstr
}
References¶
WHATWG: URL schemes.
Common Weakness Enumeration: CWE-20.