How to Sanitize URL

Hello team,

I have an extension that is blocked from the review process because it gets a url from an external source (a windows application) and navigate to this url.
Mozilla told us to sanitize the URL before using it and they gave us this link as a guideline. Although it doesn’t explain how to use it for URL sanitization

We are using for example this code to navigate to new url
browser.tabs.update(request.tabId, {url: request.url});
where the request.url is that our windows application send to extension

What it the correct way to sanitize the url to background script of extension?

Well where does the Url lead to / what is the point of it?
Is it completely arbitrary?

The user is able to add a URL to our windows app and the app communicate via native host to the extension to create/navigate to this URL.

The issue is that mozilla review team has blocked us because we use the url from the external source without sanitize it first. But we are not able to find how to do it correctly.

Well, what does the user need from the Url they insert?

• protocol
• domain
• path
• parameters

Everything they don’t need, should be removed.

const url = new URL('http://example.com/some/path?hello=1&world=2');

url.search = ''; // http://example.com/some/path

url.protocol = 'https:';  // https://example.com/some/path

Something you could do for example

Our application is an RPA tool, and the user can do whatever he needs. We don’t know each user case and what he might need to achieve. As a result, we need to sanitize it only to comply with Mozilla review

The sanitation is a security measure to prevent good addons to become malicious simply by receiving “malicious” code from the remote server.

Also remote code execution is forbidden for this exact reason.

But I wonder, if you are navigating user to an URL that he received from your server, does that count as a remote code execution?

Can the URL itself contain malicious code, the way HTML can?
Or just the resource it points to?

I would say no.

But maybe just the possibility to redirect user into any webpage is dangerous enough.

I can imagine the worst case scenario being that an attacker that gains access to his server (or just a new owner) would buy a 0-day vulnerability for Firefox (on some black market) and then redirect all addon users into some malicious page and BAM, viruses everywhere! The worst nightmare.

What exactly does Mozilla want the OP to do?
I.e. how do you sanitize an arbitrary URL?

I’m not a reviewer so I can’t tell, but I’m eager to find out .

Maybe @juhis could help out?

Reviewers comments was

2. We noticed a security risk in your extension, when creating new tabs with urls that come from an external server. Please sanitize the urls before creating the new tab. For more information, see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page .

I am not able to understand how to sanitize it from this URL.

Me neither.
I hope @juhis can answer this million-dollar question.
The reviewer probably can’t.

I guess they mean that you should sanitize the URLs with encodeURIComponent/decodeURIComponent.

Usage:

var url = HttpUtility.UrlEncode("https://discourse.mozilla.org/t/how-to-sanitize-url/107767/11");

Above is in C#

const arbitraryUrl = "https%3a%2f%2fdiscourse.mozilla.org%2ft%2fhow-to-sanitize-url%2f107767%2f11";

const safeUrl = decodeURIComponent(arbitraryUrl);

console.log(safeUrl);
// will print
// https://discourse.mozilla.org/t/how-to-sanitize-url/107767/11

Above is in js

In your Windows application you can use System.Web.HttpUtility.UrlEncode.
https://dotnetfiddle.net/3QL3zU

I think you should at least do the following:

• Escape <>'"s
  < -> <
> -> >
' -> '
" -> "

  http://example.com/?<script>alert(document.domain);</script>
http://example.com/"onmouseover="alert(1)"

• Accept only allowed schemes
  javascript:alert('XSS')

• Don’t accept absolute and/or relative URLs without a scheme
  ../../
/../