Further restrict when full url gets added as route param

AikidoSec · Nov 6, 2024 · 55f413f · 55f413f
1 parent 88b8211
commit 55f413f
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 21 deletions.
diff --git a/aikido_zen/context/extract_route_params.py b/aikido_zen/context/extract_route_params.py
@@ -21,8 +21,11 @@ def extract_route_params(url):
             elif replace_url_segment_with_param(segment) is not segment:
                 results.append(segment)  # Might be a secret, a hash, ...
 
-        if len(path) > 1:
+        if len(results) > 0 or "." in unquote(path):
+            # There are already phishy parts of the url OR
+            # urldecoded path contains dots, which is uncommon and could point to path traversal.
             results.append(path[1:])  # Add path after slash as user input
+
     except Exception:
         pass
     return results
diff --git a/aikido_zen/context/extract_route_params_test.py b/aikido_zen/context/extract_route_params_test.py
@@ -20,9 +20,7 @@ def test_uses_keys():
 
 
 def test_normal_urls():
-    assert extract_route_params("http://localhost:8080/a/b/abc2393027def/def") == [
-        "a/b/abc2393027def/def"
-    ]
+    assert extract_route_params("http://localhost:8080/a/b/abc2393027def/def") == []
 
 
 def test_with_empty_route():
@@ -47,10 +45,10 @@ def test_special_characters():
 def test_numeric_segments():
     # Alphanum is ignored:
     url1 = "http://localhost:8080/app/shell/12345"
-    assert extract_route_params(url1) == ["app/shell/12345"]
+    assert extract_route_params(url1) == []
 
     url2 = "http://localhost:8080/app/shell/67890/abc"
-    assert extract_route_params(url2) == ["app/shell/67890/abc"]
+    assert extract_route_params(url2) == []
 
 
 def test_mixed_segments():
@@ -71,10 +69,10 @@ def test_encoded_and_unencoded():
 
 def test_no_params():
     url1 = "http://localhost:8080/app/shell/"
-    assert extract_route_params(url1) == ["app/shell/"]
+    assert extract_route_params(url1) == []
 
     url2 = "http://localhost:8080/app/"
-    assert extract_route_params(url2) == ["app/"]
+    assert extract_route_params(url2) == []
 
 
 def test_edge_cases():
@@ -86,28 +84,29 @@ def test_edge_cases():
 
 
 def test_long_urls():
-    url1 = "http://localhost:8080/app/shell/" + "a" * 1000
-    assert extract_route_params(url1) == ["app/shell/" + "a" * 1000]
+    url1 = "http://localhost:8080/app./shell/" + "a" * 1000
+    assert extract_route_params(url1) == ["app.", "app./shell/" + "a" * 1000]
 
-    url2 = "http://localhost:8080/app/shell/" + "b" * 1000 + "/c" * 1000
-    assert extract_route_params(url2) == ["app/shell/" + "b" * 1000 + "/c" * 1000]
+    url2 = "http://localhost:8080/app./shell/" + "b" * 1000 + "/c" * 1000
+    assert extract_route_params(url2) == [
+        "app.",
+        "app./shell/" + "b" * 1000 + "/c" * 1000,
+    ]
 
 
 def test_query_parameters():
     # Test query parameters are ignored:
-    url1 = "http://localhost:8080/app/shell/?param=value"
-    assert extract_route_params(url1) == ["app/shell/"]
+    url1 = "http://localhost:8080/app/./shell/?param=value"
+    assert extract_route_params(url1) == ["app/./shell/"]
 
-    url2 = "http://localhost:8080/app/shell/?key1=value1&key2=value2"
-    assert extract_route_params(url2) == ["app/shell/"]
+    url2 = "http://localhost:8080/app/./shell/?key1=value1&key2=value2"
+    assert extract_route_params(url2) == ["app/./shell/"]
 
 
 def test_fragment_identifiers():
     # Fragments should be ignored:
-    url1 = "http://localhost:8080/app/shell/#section1"
-    assert extract_route_params(url1) == ["app/shell/"]
+    url1 = "http://localhost:8080/app/./shell/#section1"
+    assert extract_route_params(url1) == ["app/./shell/"]
 
     url2 = "http://localhost:8080/app/shell/#/path/to/resource"
-    assert extract_route_params(url2) == [
-        "app/shell/",
-    ]
+    assert extract_route_params(url2) == []