8000 Incomplete String Escaping in URL Handling (Potential Security Vulnerability) · Issue #6565 · mermaid-js/mermaid · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Incomplete String Escaping in URL Handling (Potential Security Vulnerability) #6565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
arpitjain099 opened this issue May 5, 2025 · 0 comments · May be fixed by #6566
Open

Incomplete String Escaping in URL Handling (Potential Security Vulnerability) #6565

arpitjain099 opened this issue May 5, 2025 · 0 comments · May be fixed by #6566
Labels
Status: Triage Needs to be verified, categorized, etc Type: Bug / Error Something isn't working or is incorrect

Comments

@arpitjain099
Copy link

Description

Certain instances in the codebase use .replace() to escape special characters like ( and ) in URLs, but they fail to escape existing backslashes () first. This can lead to malformed escape sequences or introduce security vulnerabilities, especially in downstream parsing or rendering.

Example:

url = url.replace(/\(/g, '\\(').replace(/\)/g, '\\)');

This does not escape backslashes already present in the string. If a URL contains something like (, the output becomes ambiguous or unsafe.

Steps to reproduce

This issue is surfaced through static analysis (e.g., CodeQL), not through typical diagram rendering. However, to conceptually reproduce:

  1. Use a diagram that includes a URL or label with a backslash and parentheses, e.g.:
   graph TD
     A[Click here] --> B((http://example.com/\(test\)))
  1. Render the diagram using the Live Editor or embedded Mermaid.
  2. Inspect the generated output or internal URL transformation logic.
  3. Note that backslashes are not properly escaped before parentheses.
  4. This results in potentially malformed output like ( instead of \(, which may affect rendering or security depending on downstream usage.

Screenshots

Not applicable, but CodeQL flags it with:
"Incomplete string escaping or encoding"

Code Sample

Problematic line:

url = url.replace(/\(/g, '\\(').replace(/\)/g, '\\)');

Recommended fix:

url = url.replace(/\\/g, '\\\\').replace(/\(/g, '\\(').replace(/\)/g, '\\)');

Setup

  • Mermaid version:
  • Browser and Version: [Chrome, Edge, Firefox]

Suggested Solutions

  • Escape backslashes first before other characters
  • Consider abstracting the escaping logic into a utility function if this pattern appears frequently.

Additional Context

No response
@arpitjain099 arpitjain099 added Status: Triage Needs to be verified, categorized, etc Type: Bug / Error Something isn't working or is incorrect labels May 5, 2025
@arpitjain099 arpitjain099 linked a pull request May 5, 2025 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Triage Needs to be verified, categorized, etc Type: Bug / Error Something isn't working or is incorrect
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: escape backslashes before parentheses in URL replacement logic arpitjain099/mermaid
1 participant
@arpitjain099
0