Enhance URL parameter ferrying with robust security measures

Author: cursoragent

URL_PARAMETER_FERRYING.md

@@ -99,6 +99,15 @@ import {NavLink} from 'sentry-docs/components/navlink';
 <NavLink href="/docs/guides/">Guides</NavLink>
 ```
 
+## Security Features
+
+The implementation includes comprehensive security measures:
+- **URL Scheme Validation**: Blocks dangerous URL schemes (`javascript:`, `data:`, `vbscript:`, `file:`, `about:`)
+- **Parameter Sanitization**: Sanitizes parameter keys and values to prevent injection attacks
+- **Length Limits**: Parameter values are limited to 500 characters
+- **Control Character Filtering**: Removes control characters from parameters
+- **Multiple Validation Layers**: URLs are validated at multiple stages of processing
+
 ## Browser Compatibility
 
 The implementation uses:

src/components/paramFerry.tsx

@@ -28,16 +28,45 @@ export default function ParamFerry(): null {
           return key === pattern;
         });
 
-        if (shouldSync) {
-          params[key] = value;
+        if (shouldSync && typeof value === 'string' && typeof key === 'string') {
+          // Sanitize parameter key and value during collection
+          const sanitizedKey = key.replace(/[^\w\-._~]/g, '');
+          const sanitizedValue = value.replace(/[\r\n\t]/g, '').substring(0, 500);
+          
+          if (sanitizedKey && sanitizedValue) {
+            params[sanitizedKey] = sanitizedValue;
+          }
         }
       });
 
       return params;
     };
 
+    // Validate URL is safe to process
+    const isSafeUrl = (url: string): boolean => {
+      // Block dangerous schemes
+      const dangerousSchemes = ['javascript:', 'data:', 'vbscript:', 'file:', 'about:'];
+      const lowerUrl = url.toLowerCase().trim();
+      
+      if (dangerousSchemes.some(scheme => lowerUrl.startsWith(scheme))) {
+        return false;
+      }
+      
+      // Only allow http, https, and relative URLs
+      if (lowerUrl.startsWith('http://') || lowerUrl.startsWith('https://') || lowerUrl.startsWith('/') || !lowerUrl.includes(':')) {
+        return true;
+      }
+      
+      return false;
+    };
+
     // Ferry parameters to a URL
     const ferryParams = (targetUrl: string) => {
+      // Validate URL safety first
+      if (!isSafeUrl(targetUrl)) {
+        return targetUrl;
+      }
+
       const params = getCurrentParams();
 
       if (Object.keys(params).length === 0) {
@@ -47,14 +76,32 @@ export default function ParamFerry(): null {
       try {
         const url = new URL(targetUrl, window.location.origin);
 
-        // Add parameters to the URL
+        // Double-check the constructed URL is safe
+        if (!isSafeUrl(url.toString())) {
+          return targetUrl;
+        }
+        
+        // Add parameters to the URL with validation
         Object.entries(params).forEach(([key, value]) => {
-          if (value) {
-            url.searchParams.set(key, value);
+          if (value && typeof value === 'string') {
+            // Sanitize parameter key and value
+            const sanitizedKey = key.replace(/[^\w\-._~]/g, '');
+            const sanitizedValue = value.replace(/[\r\n\t]/g, '').substring(0, 500); // Limit length and remove control characters
+            
+            if (sanitizedKey && sanitizedValue) {
+              url.searchParams.set(sanitizedKey, sanitizedValue);
+            }
           }
         });
 
-        return url.toString();
+        const result = url.toString();
+        
+        // Final safety check
+        if (!isSafeUrl(result)) {
+          return targetUrl;
+        }
+
+        return result;
       } catch (error) {
         console.warn('Error ferrying parameters:', error);
         return targetUrl;
@@ -73,12 +120,13 @@ export default function ParamFerry(): null {
         // Skip if already processed
         if (anchor.hasAttribute('data-param-ferried')) return;
 
-        // Skip external links, anchors, mailto, and tel links
+        // Skip external links, anchors, mailto, tel links, and unsafe URLs
         if (
           (href.startsWith('http') && !href.includes(window.location.hostname)) ||
           href.startsWith('#') ||
           href.startsWith('mailto:') ||
-          href.startsWith('tel:')
+          href.startsWith('tel:') ||
+          !isSafeUrl(href)
         ) {
           anchor.setAttribute('data-param-ferried', 'skip');
           return;
@@ -87,14 +135,20 @@ export default function ParamFerry(): null {
         try {
           const ferriedUrl = ferryParams(href);
 
-          if (ferriedUrl !== href) {
+          if (ferriedUrl !== href && isSafeUrl(ferriedUrl)) {
             // For relative URLs, extract just the path and search params
             if (!href.startsWith('http')) {
               const url = new URL(ferriedUrl);
               const newHref = url.pathname + url.search + url.hash;
-              anchor.setAttribute('href', newHref);
+              // Final validation before setting href
+              if (isSafeUrl(newHref)) {
+                anchor.setAttribute('href', newHref);
+              }
             } else {
-              anchor.setAttribute('href', ferriedUrl);
+              // Final validation before setting href
+              if (isSafeUrl(ferriedUrl)) {
+                anchor.setAttribute('href', ferriedUrl);
+              }
             }
           }
 

src/utils.ts

@@ -91,6 +91,28 @@ export const marketingUrlParams = (): URLQueryObject => {
   return marketingParams;
 };
 
+/**
+ * Validate URL is safe to process (blocks dangerous schemes)
+ * @param url - The URL to validate
+ * @returns true if URL is safe, false otherwise
+ */
+const isSafeUrl = (url: string): boolean => {
+  // Block dangerous schemes
+  const dangerousSchemes = ['javascript:', 'data:', 'vbscript:', 'file:', 'about:'];
+  const lowerUrl = url.toLowerCase().trim();
+  
+  if (dangerousSchemes.some(scheme => lowerUrl.startsWith(scheme))) {
+    return false;
+  }
+  
+  // Only allow http, https, and relative URLs
+  if (lowerUrl.startsWith('http://') || lowerUrl.startsWith('https://') || lowerUrl.startsWith('/') || !lowerUrl.includes(':')) {
+    return true;
+  }
+  
+  return false;
+};
+
 /**
  * Ferry URL parameters from current page to target URL
  * @param targetUrl - The URL to append parameters to
@@ -102,23 +124,51 @@ export const ferryUrlParams = (targetUrl: string, additionalParams: URLQueryObje
     return targetUrl;
   }
 
+  // Validate URL safety first
+  if (!isSafeUrl(targetUrl)) {
+    return targetUrl;
+  }
+
   const currentParams = marketingUrlParams();
   const allParams = {...currentParams, ...additionalParams};
 
   if (Object.keys(allParams).length === 0) {
     return targetUrl;
   }
 
-  const url = new URL(targetUrl, window.location.origin);
-  
-  // Add parameters to the URL
-  Object.entries(allParams).forEach(([key, value]) => {
-    if (value && typeof value === 'string') {
-      url.searchParams.set(key, value);
+  try {
+    const url = new URL(targetUrl, window.location.origin);
+    
+    // Double-check the constructed URL is safe
+    if (!isSafeUrl(url.toString())) {
+      return targetUrl;
+    }
+    
+    // Add parameters to the URL with validation
+    Object.entries(allParams).forEach(([key, value]) => {
+      if (value && typeof value === 'string') {
+        // Sanitize parameter key and value
+        const sanitizedKey = key.replace(/[^\w\-._~]/g, '');
+        const sanitizedValue = value.replace(/[\r\n\t]/g, '').substring(0, 500); // Limit length and remove control characters
+        
+        if (sanitizedKey && sanitizedValue) {
+          url.searchParams.set(sanitizedKey, sanitizedValue);
+        }
+      }
+    });
+
+    const result = url.toString();
+    
+    // Final safety check
+    if (!isSafeUrl(result)) {
+      return targetUrl;
     }
-  });
 
-  return url.toString();
+    return result;
+  } catch (error) {
+    console.warn('Error ferrying parameters:', error);
+    return targetUrl;
+  }
 };
 
 export function captureException(exception: unknown): void {