Security report: links redirection parsing error by cryptohazard

utopian-io · @cryptohazard · Mar 10 '18 (edited)

$12.23

Security report: links redirection parsing error

This issue follows the issue: https://github.com/busyorg/busy/issues/1492

#### Expected behavior
All external links are open in a new tab so users notice their are changing website. 
busy.org/@cryptohazard should open in the same tab while steemit.com/@cryptohazard opens in a new tab.

#### Actual behavior
There is an error in the way you parse the link. I can bypass your security by putting ```busy.org``` in the beginning of the url and it will open in the same tab.

#### How to reproduce
I made a post on busy.org  to test the issue:
https://busy.org/@cryptohazard/security-tests


<br /><hr/><em>Posted on <a href="https://utopian.io/utopian-io/@cryptohazard/security-report-links-redirection-parsing-error">Utopian.io -  Rewarding Open Source Contributors</a></em><hr/>

👍 utopian-io, yuxid, cifer, lablockchain, leir, itharagaian, wargof, loshcat, mys, soushi888, fanbasefr, leguidecrypto, orlandumike, polbot, greenorange, juanjo0968, arslanmustafa, fabinhocrypto, subornalata, kelos, galam, zonguin, baloox, hellofuture, fikarvox, mayrie28, lebastion, cryptotradingfr, worldiz, marie2018, muhammadibra, russellferris, thesport, dreamdev, abudabor, tyjulie, irminsoul82, mukta9988, studio666, yann85, steemnova, iptrucs, florenceboens, gwys, happydaddyfr, duke77, alucare, swisschain, didizion, estoy, jane83, atelierminceur, imcore, slashformotion, forexflo, gribouille, toxibuzz

properties (23)

post_id

37,627,645

author

cryptohazard

permlink

security-report-links-redirection-parsing-error

category

utopian-io

json_metadata

"{"repository": {"owner": {"login": "busyorg"}, "id": 64382195, "full_name": "busyorg/busy", "fork": false, "name": "busy", "html_url": "https://github.com/busyorg/busy"}, "moderator": {"flagged": false, "account": "espoem", "reviewed": true, "pending": false, "time": "2018-03-10T20:32:18.309Z"}, "format": "markdown", "issue": {"id": 304102388, "number": 1629, "title": "Security report: links redirection parsing error", "url": "https://github.com/busyorg/busy/issues/1629"}, "platform": "github", "tags": ["utopian-io", "busy", "security", "bug", "report"], "questions": [{"selected": 1, "question": "Is the language / grammar correct?", "answers": [{"value": "Yes", "score": 20, "selected": false}, {"value": "A few mistakes", "score": 10, "selected": true}, {"value": "It's pretty bad", "score": 0, "selected": false}]}, {"selected": 0, "question": "Was the template followed?", "answers": [{"value": "Yes", "score": 10, "selected": true}, {"value": "Partially", "score": 5, "selected": false}, {"value": "No", "score": 0, "selected": false}]}, {"selected": 0, "question": "Is the bug report formal / informal?", "answers": [{"value": "Yes straight to the point", "score": 50, "selected": true}, {"value": "No steps to reproduce", "score": 25, "selected": false}, {"value": "Not informal and not formal", "score": 0, "selected": false}]}, {"selected": 1, "question": "Is the bug report formal / professional?", "answers": [{"value": "Yes, straight to the point ", "score": 10, "selected": false}, {"value": "Almost, contains minor informal parts", "score": 5, "selected": true}]}, {"selected": 2, "question": "How severe is the bug?", "answers": [{"value": "Critical/Security/Crash, affects very critical functions or sensitive data", "score": 20, "selected": false}, {"value": "Major, functionality is affected, no workaround", "score": 15, "selected": false}, {"value": "Minor, functionality is affected, has easy and obvious workaround", "score": 10, "selected": true}, {"value": "Cosmetic, functionality is not affected", "score": 5, "selected": false}]}, {"selected": 0, "question": "Is there any unrelated content in the bug report?", "answers": [{"value": "No, post solely discusses only talk about the bug report", "score": 10, "selected": true}, {"value": "Yes, personal intro or other unrelated content ", "score": 0, "selected": false}]}], "community": "utopian", "type": "bug-hunting", "pullRequests": [], "app": "utopian/1.0.0", "users": ["cryptohazard"], "score": 25}"

created

2018-03-09 10:33:48

last_update

2018-03-10 20:32:18

depth

children

net_rshares

4,004,380,277,508

last_payout

2018-03-16 10:33:48

cashout_time

1969-12-31 23:59:59

total_payout_value

8.552 SBD

curator_payout_value

3.679 SBD

pending_payout_value

0.000 SBD

promoted

0.000 SBD

body_length

779

author_reputation

17,113,283,041,617

root_title

"Security report: links redirection parsing error"

beneficiaries

0.

`account`	utopian.pay
`weight`	2,500

max_accepted_payout

1,000,000.000 SBD

percent_steem_dollars

10,000

author_curate_reward

vote details (57)

voter	rshares	pct
soushi888	1,257,636,076	10%
mys	1,670,139,315	2%
wargof	2,055,753,021	50%
zonguin	488,416,292	5%
cifer	8,452,292,879	65%
leir	2,672,866,445	97%
yuxid	14,946,205,281	20%
lablockchain	4,014,362,116	17%
estoy	61,339,120	10%
loshcat	1,709,757,513	100%
baloox	455,676,250	10%
cryptotradingfr	307,344,620	1%
utopian-io	3,950,655,284,540	2.48%
greenorange	613,506,280	100%
dreamdev	215,564,674	5%
iptrucs	110,283,823	10%
fabinhocrypto	574,698,530	10%
mayrie28	341,026,062	10%
subornalata	554,457,559	100%
duke77	79,740,598	7%
irminsoul82	147,770,558	25%
happydaddyfr	86,193,257	1%
slashformotion	53,661,093	5%
atelierminceur	58,427,223	10%
alucare	79,274,506	10%
gwys	90,164,978	5%
marie2018	266,714,427	100%
gribouille	51,618,783	10%
itharagaian	2,063,064,795	20%
leguidecrypto	1,144,408,411	10%
orlandumike	1,125,330,247	8%
kelos	545,637,463	50%
galam	504,634,432	10%
worldiz	272,679,271	10%
florenceboens	93,310,878	10%
forexflo	51,928,954	10%
lebastion	319,326,384	20%
polbot	1,093,639,917	50%
hellofuture	408,841,888	10%
steemnova	113,592,385	2%
mukta9988	134,785,937	50%
swisschain	61,565,350	10%
fikarvox	401,358,905	100%
toxibuzz	51,359,441	10%
thesport	217,905,770	50%
didizion	61,373,261	10%
imcore	58,277,458	10%
yann85	117,151,921	10%
arslanmustafa	596,666,855	100%
jane83	61,289,755	10%
abudabor	187,721,457	100%
tyjulie	177,365,128	15%
fanbasefr	1,229,339,029	10%
studio666	117,535,823	10%
russellferris	223,679,944	100%
muhammadibra	263,514,657	100%
juanjo0968	612,815,973	100%

@muhammadibra · Mar 9 '18

Very good post

👍 muhammadibra

`post_id`	37,631,624
`author`	muhammadibra
`permlink`	re-cryptohazard-security-report-links-redirection-parsing-error-20180309t110508673z
`category`	utopian-io
`json_metadata`	"{"app": "steemit/0.1", "tags": ["utopian-io"]}"
`created`	2018-03-09 11:05:18
`last_update`	2018-03-09 11:05:18
`depth`	1
`children`	0
`net_rshares`	257,386,409
`last_payout`	2018-03-16 11:05:18
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	14
`author_reputation`	357,547,160,450
`root_title`	"Security report: links redirection parsing error"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
muhammadibra	0 B		257,386,409	100%

@tobias-g · Mar 10 '18

Your contribution cannot be approved because it does not follow the [Utopian Rules](https://utopian.io/rules).

Firstly you mention that that:

"This issue follows the issue: https://github.com/busyorg/busy/issues/1492"

From reading the issue it looks like you have already reported this issue to the busy team, please be aware that this breaks the following utopian.io rule:

If you or someone else submitted the issue on GitHub first, the Bug Report will not be accepted. Approved Bug Reports will automatically be published on GitHub.

Within bug-hunting contributions on utopian.io, you must provide all information to replicate the bug, stating "I made a post on busy.org to test the issue:" is not enough. Please be aware that this breaks the following from the [Utopian Rules](https://utopian.io/rules):

You must provide sufficiant detail to reproduce the bug.

You also haven't provided any information surrounding your environment which is against the [Utopian Rules](https://utopian.io/rules):

Include information about your technical environment such as Device, Operating System, Browser and Application versions.

You should also add screenshots, video recordings or animated GIFs, if they can help to understand the bug. This is a soft rule which means:

All the rules marked as [SOFT] may lead to rejection if you have been notified about the same mistake multiple times. In any other case the Moderator will ask for a change but accept your contribution anyways.

You can contact us on [Discord](https://discord.gg/uTyJkNm).
**[[utopian-moderator]](https://utopian.io/moderators)**

properties (22)

`post_id`	37,856,897
`author`	tobias-g
`permlink`	re-cryptohazard-security-report-links-redirection-parsing-error-20180310t181445787z
`category`	utopian-io
`json_metadata`	"{"app": "utopian/1.0.0", "community": "utopian", "tags": ["utopian-io"]}"
`created`	2018-03-10 18:14:51
`last_update`	2018-03-10 18:14:51
`depth`	1
`children`	2
`net_rshares`	0
`last_payout`	2018-03-17 18:14:51
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	1,599
`author_reputation`	78,222,795,638,600
`root_title`	"Security report: links redirection parsing error"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000

@fabien · Mar 10 '18

#1492 is a different issue, you can keep this one.

properties (22)

`post_id`	37,871,365
`author`	fabien
`permlink`	re-tobias-g-re-cryptohazard-security-report-links-redirection-parsing-error-20180310t202549117z
`category`	utopian-io
`json_metadata`	"{"app": "busy/2.4.0", "community": "busy", "tags": ["utopian-io"]}"
`created`	2018-03-10 20:26:12
`last_update`	2018-03-10 20:26:12
`depth`	2
`children`	1
`net_rshares`	0
`last_payout`	2018-03-17 20:26:12
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	50
`author_reputation`	16,638,382,769,448
`root_title`	"Security report: links redirection parsing error"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000

@cryptohazard · Mar 12 '18

Cool :-D

properties (22)

`post_id`	38,155,564
`author`	cryptohazard
`permlink`	re-fabien-re-tobias-g-re-cryptohazard-security-report-links-redirection-parsing-error-20180312t133027024z
`category`	utopian-io
`json_metadata`	"{"app": "steemit/0.1", "tags": ["utopian-io"]}"
`created`	2018-03-12 13:30:27
`last_update`	2018-03-12 13:30:27
`depth`	3
`children`	0
`net_rshares`	0
`last_payout`	2018-03-19 13:30:27
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	8
`author_reputation`	17,113,283,041,617
`root_title`	"Security report: links redirection parsing error"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000

@espoem · Mar 10 '18

I have talked to fabien and we checked that the case with putting busy.org at the beginning of the url makes it open in the same tab.

This has been approved.

You can contact us on [Discord](https://discord.gg/uTyJkNm).
**[[utopian-moderator]](https://utopian.io/moderators)**

properties (22)

`post_id`	37,872,364
`author`	espoem
`permlink`	re-cryptohazard-security-report-links-redirection-parsing-error-20180310t203609309z
`category`	utopian-io
`json_metadata`	"{"app": "utopian/1.0.0", "community": "utopian", "tags": ["utopian-io"]}"
`created`	2018-03-10 20:36:09
`last_update`	2018-03-10 20:36:09
`depth`	1
`children`	1
`net_rshares`	0
`last_payout`	2018-03-17 20:36:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	277
`author_reputation`	59,186,440,518,630
`root_title`	"Security report: links redirection parsing error"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000

@cryptohazard · Mar 12 '18

Thanks. I just need to wait then?

properties (22)

`post_id`	38,155,619
`author`	cryptohazard
`permlink`	re-espoem-re-cryptohazard-security-report-links-redirection-parsing-error-20180312t133048893z
`category`	utopian-io
`json_metadata`	"{"app": "steemit/0.1", "tags": ["utopian-io"]}"
`created`	2018-03-12 13:30:48
`last_update`	2018-03-12 13:30:48
`depth`	2
`children`	0
`net_rshares`	0
`last_payout`	2018-03-19 13:30:48
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	33
`author_reputation`	17,113,283,041,617
`root_title`	"Security report: links redirection parsing error"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000

@utopian-io · Mar 13 '18

### Hey @cryptohazard I am @utopian-io. I have just upvoted you!
#### Achievements
- This is your first accepted contribution here in Utopian. Welcome!
#### Suggestions
- Contribute more often to get higher and higher rewards. I wish to see you often!
- Work on your followers to increase the votes/rewards. I follow what humans do and my vote is mainly based on that. Good luck!
#### Get Noticed!
- Did you know project owners can manually vote with their own voting power or by voting power delegated to their projects? Ask the project owner to review your contributions!
#### Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. <a href="https://discord.gg/zTrEMqB">Participate on Discord</a>. Lets GROW TOGETHER!
- <a href="https://v2.steemconnect.com/sign/account-witness-vote?witness=utopian-io&approve=1">Vote for my Witness With SteemConnect</a>
- <a href="https://v2.steemconnect.com/sign/account-witness-proxy?proxy=utopian-io&approve=1">Proxy vote to Utopian Witness with SteemConnect</a>
- Or vote/proxy on <a href="https://steemit.com/~witnesses">Steemit Witnesses</a>

[![mooncryption-utopian-witness-gif](https://steemitimages.com/DQmYPUuQRptAqNBCQRwQjKWAqWU3zJkL3RXVUtEKVury8up/mooncryption-s-utopian-io-witness-gif.gif)](https://steemit.com/~witnesses)

**Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x**

properties (22)

`post_id`	38,317,765
`author`	utopian-io
`permlink`	re-cryptohazard-security-report-links-redirection-parsing-error-20180313t083834367z
`category`	utopian-io
`json_metadata`	"{"app": "utopian/1.0.0", "community": "utopian", "tags": ["utopian-io"]}"
`created`	2018-03-13 08:38:33
`last_update`	2018-03-13 08:38:33
`depth`	1
`children`	0
`net_rshares`	0
`last_payout`	2018-03-20 08:38:33
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 SBD
`curator_payout_value`	0.000 SBD
`pending_payout_value`	0.000 SBD
`promoted`	0.000 SBD
`body_length`	1,451
`author_reputation`	152,913,012,544,965
`root_title`	"Security report: links redirection parsing error"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 SBD
`percent_steem_dollars`	10,000