fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris

xiaoxiaojx · web-flow · commit c5100702335a · 2025-12-18T15:16:15.000+03:00
diff --git a/.changeset/green-turtles-change.md b/.changeset/green-turtles-change.md
@@ -0,0 +1,5 @@
+---
+"webpack": patch
+---
+
+Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.
diff --git a/lib/schemes/HttpUriPlugin.js b/lib/schemes/HttpUriPlugin.js
@@ -953,12 +953,28 @@ class HttpUriPlugin {
 					 * @returns {boolean} true when allowed, otherwise false
 					 */
 					const isAllowed = (uri) => {
+						let parsedUri;
+						try {
+							// Parse the URI to prevent userinfo bypass attacks
+							// (e.g., http://allowed@malicious/path where @malicious is the actual host)
+							parsedUri = new URL(uri);
+						} catch (_err) {
+							return false;
+						}
 						for (const allowed of allowedUris) {
 							if (typeof allowed === "string") {
-								if (uri.startsWith(allowed)) return true;
+								let parsedAllowed;
+								try {
+									parsedAllowed = new URL(allowed);
+								} catch (_err) {
+									continue;
+								}
+								if (parsedUri.href.startsWith(parsedAllowed.href)) {
+									return true;
+								}
 							} else if (typeof allowed === "function") {
-								if (allowed(uri)) return true;
-							} else if (allowed.test(uri)) {
+								if (allowed(parsedUri.href)) return true;
+							} else if (allowed.test(parsedUri.href)) {
 								return true;
 							}
 						}
diff --git a/test/configCases/asset-modules/http-url/errors.js b/test/configCases/asset-modules/http-url/errors.js
@@ -16,5 +16,8 @@ module.exports = [
 	],
 	[
 		/http:\/\/localhost:9990\/redirect has an outdated lockfile entry, but lockfile is frozen/
+	],
+	[
+		/Module not found: Error: http:\/\/localhost:9990@127\.0\.0\.1:9100\/secret\.js doesn't match the allowedUris policy/
 	]
 ];
diff --git a/test/configCases/asset-modules/http-url/index.security.js b/test/configCases/asset-modules/http-url/index.security.js
@@ -0,0 +1,6 @@
+"use strict";
+
+it("should reject URLs with userinfo that bypass allowedUris", () => {
+	expect(() => require("http://localhost:9990@127.0.0.1:9100/secret.js")).toThrow();
+});
+
diff --git a/test/configCases/asset-modules/http-url/webpack.config.js b/test/configCases/asset-modules/http-url/webpack.config.js
@@ -102,5 +102,18 @@ module.exports = [
 				frozen: true
 			})
 		]
+	},
+	{
+		name: "security-userinfo-bypass",
+		...base,
+		entry: "./index.security.js",
+		plugins: [
+			serverPlugin,
+			new HttpUriPlugin({
+				allowedUris,
+				upgrade: false,
+				frozen: false
+			})
+		]
 	}
 ];

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"webpack": patch
 +---
++
 +Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.
Original file line number	Diff line number	Diff line change
`@@ -16,5 +16,8 @@ module.exports = [`
`16`	`16`	`],`
`17`	`17`	`[`
`18`	`18`	`/http:\/\/localhost:9990\/redirect has an outdated lockfile entry, but lockfile is frozen/`
	`19`	`+ ],`
	`20`	`+ [`
	`21`	`+ /Module not found: Error: http:\/\/localhost:9990@127\.0\.0\.1:9100\/secret\.js doesn't match the allowedUris policy/`
`19`	`22`	`]`
`20`	`23`	`];`