Nice finding Antony,
For your information, the latest commit was still exploitable :) here is the poc to bypass the regex : gist.github.com/n1nj4sec/9fc83e8bc... /../9fc83e8bc780e5c10739933ec3347460/raw/b46eef9822a00473f720680ed664873c3e20af9f/test.js" (the trick is to use /../)
and the fix implemented : github.com/thepracticaldev/dev.to/...
Nice finding Antony,
For your information, the latest commit was still exploitable :) here is the poc to bypass the regex :
gist.github.com/n1nj4sec/9fc83e8bc... /../9fc83e8bc780e5c10739933ec3347460/raw/b46eef9822a00473f720680ed664873c3e20af9f/test.js" (the trick is to use /../)
and the fix implemented :
github.com/thepracticaldev/dev.to/...
Nice one!
This patch was also vulnerable ;)
As the regex ended with
$
, we could bypass it with a newline, then/../../..
+ raw gistgithub.com/thepracticaldev/dev.to/...
This was fixed by using
\A
and\Z
instead of^
and$
!