fix: Incomplete RegEx Validation of OneDrive URLs [AEM-21]
tripodsan opened this issue ยท 2 comments
Details:
The fstab.yaml configuration file supports three (3) resource providers: GitHub, Google Drive and Microsoft OneDrive. We noted that the validation for OneDrive relied on a regular expression that was not strict enough, which allows nonโOneDrive URLs to be specified.
The following fstab.yaml configuration file will match OneDrive, despite pointing to an arbitrary domain:
mountpoints:
/: https://anvilsecure.com?.sharepoint.com/foobar
Impact Rationale:
Helix could attempt to access the mountpoint URL as a OneDrive document, while the URL actually points to an arbitrary domain. The confusion could result in unexpected errors and exceptions in the code.
Likelihood Rationale:
Exploitation of the confusion might be difficult, especially without access to the source code.
Mitigation:
The regular expression should be stricter, allowing alphanumeric and hyphen characters only.
๐ This issue has been resolved in version @adobe/helix-shared-config-v10.1.0 ๐
The release is available on:
Your semantic-release bot ๐ฆ๐
๐ This issue has been resolved in version 8.0.0 ๐
The release is available on:
Your semantic-release bot ๐ฆ๐