The login-sdk-demo from moonpay

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

github-actions

.github/workflows/close-stale-prs.yml

.github/workflows/codeql-analysis.yml

npm

package.json

nvm

.nvmrc

Check this box to trigger a request for Renovate to run again on this repository

CORS policy

Title: Problem with CORS policy when accessing the resource https://eth-goerli.g.alchemy.com/v2/W3NxyYz0u5ls5vnFu-nH8Td2lIE5_JCU from the source https://web3.moonpay.com
Description:
When trying to access the resource https://eth-goerli.g.alchemy.com/v2/W3NxyYz0u5ls5vnFu-nH8Td2lIE5_JCU from the source https://web3.moonpay.com, a CORS policy error occurs. The error message indicates that the Access-Control-Allow-Origin header is missing, causing the request to be blocked.
Steps to reproduce:

const sdk = new MoonpayWalletSDK({
  loginDomain: "https://buy-sandbox.moonpay.com",
  secureWalletDomain: "https://web3.moonpay.com",
  apiKey: process.env.NEXT_PUBLIC_MOONPAY_API_KEY,
});

  useEffect(() => {
    sdk.init().then(() => {
      setProvider(sdk.provider!);
    });
  }, [])

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>moonpay/ghsec//config/shared/renovate/default)

Follow Redirects improperly handles URLs in the url.parse() function

Description Overview

Affected of this project Horizon-Protocol/Horizon-Smart-Contract are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

PoC: #29

# Case 1 : Bypassing localhost restriction
let url = 'https://buy-sandbox.moonpay.com/admin';
try{
    new URL(url); // ERROR : Invalid URL
}catch{
    url.parse(url); // -> https://buy-sandbox.moonpay.com/admin
}

# Case 2 : Bypassing domain restriction
let url = 'http://attacker.domain*.allowed.domain:a';
try{
    new URL(url); // ERROR : Invalid URL
}catch{
    url.parse(url); // -> http://attacker.domain/*.allowed.domain:a
}

Below is part of follow-redirects's .js code.

function urlToOptions(urlObject) {
  var options = {
    protocol: urlObject.protocol,
    hostname: urlObject.hostname.startsWith("[") ?
      /* istanbul ignore next */
      urlObject.hostname.slice(1, -1) :
      urlObject.hostname,
    hash: urlObject.hash,
    search: urlObject.search,
    pathname: urlObject.pathname,
    path: urlObject.pathname + urlObject.search,
    href: urlObject.href,
  };
  if (urlObject.port !== "") {
    options.port = Number(urlObject.port);
  }
  return options;
}

It checks URL hostname which is startswith [ character. Which means if the urlObject is http://[localhost]/, then it converts to http://localhost/.

The problem comes from below code.

    function request(input, options, callback) {
      // Parse parameters
      if (isString(input)) {
        var parsed;
        try {
          parsed = urlToOptions(new URL(input));
        }
        catch (err) {
          /* istanbul ignore next */
          parsed = url.parse(input);
        }
    /* below code skipped */

urlToOptions() function is called after new URL().

When new URL('https://buy-sandbox.moonpay.com') it throws an error which is Invalid URL. Then it goes catch{ } phrase.

At the catch{ } phrase, there is vulnerable function which is url.parse().

url.parse('https://buy-sandbox.moonpay.com') sees URL to https://buy-sandbox.moonpay.com.

Proof of Concept

// PoC.js
const express = require("express");
const http = require('follow-redirects').http;
const app  = express();
const port = 80;

const isLocalhost = function (url) {
    try{
        u = new URL(url);
        if(u.hostname.includes('localhost')
        || u.hostname.includes('127.0.0.1')
        ){
            return true;
        }
    }catch{}
    return false;
}
app.use(express.json())

app.get("/", (req, res) => {
    res.send("Hello World");
})

app.post("/request", (req, res) => {
    let url = req.body.url;
    let options = {
        'followRedirects':false
    }
    if(req.body?.url){
        if(isLocalhost(req.body.url)){
            res.send('Localhost is restricted.');
            return;
        };
        http.get(url, options, (response) => {
            let data = '';
            response.on('data', chunk => {
                data += chunk.toString();
            });
            response.on('end', () => {
                res.send(data);
            })
        }).on('error', (e) => {
            console.log(e);
            res.status(500).send('Server Error');
        })
    }else{
        res.send('URL is required.');
    }
})

app.get("/admin", (req, res) => {
    if(req.socket.remoteAddress.includes('127.0.0.1')){
        res.send('Admin Page');
    }else{
        res.status(404).send('Not Found');
    }
})

app.listen(port, () => {
    console.log(`App listening on port ${port}`)
})

CWE-20
CWE-601
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

moonpay / login-sdk-demo Goto Github PK

login-sdk-demo's People

Contributors

Stargazers

Watchers

Forkers

login-sdk-demo's Issues

Dependency Dashboard

Detected dependencies

CORS policy

Action Required: Fix Renovate Configuration

Follow Redirects improperly handles URLs in the url.parse() function

Description Overview

Proof of Concept

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent