1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "url: improve port validation"

Browse Source 
This reverts commit 5f7730e2f2689a6af0530d7de16370f9fcce1227.

This change broke too many edge cases in the ecosystem. Reverting it
re-introduces some host-spoofing possibilities, so we won't want to
revert forever, but the issue is long-lived enough and not sufficiently
critical that we can't wait for a major release to introduce it as a
breaking change. After this lands, I plan to re-introduce this as a
change that throws a warning rather than an error, after which we can
land a semver-major that re-introduces the error and try to get the word
out to maintainers of likely-affected packages.

Closes: https://github.com/nodejs/node/issues/45514
Refs: https://github.com/nodejs/node/pull/45012
PR-URL: https://github.com/nodejs/node/pull/45517
Fixes: https://github.com/nodejs/node/issues/45514
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
This commit is contained in:
Rich Trott 2022-11-19 10:34:59 -08:00 committed by GitHub
parent 0220aeb855
commit bd965aaf36
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/url.js
View File

@ -387,7 +387,7 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
// validate a little. // validate a little.
if (!ipv6Hostname) { if (!ipv6Hostname) {
rest = getHostname(this, rest, hostname, url); rest = getHostname(this, rest, hostname);
} }
if (this.hostname.length > hostnameMaxLen) { if (this.hostname.length > hostnameMaxLen) {
@ -506,7 +506,7 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
return this; return this;
}; };
function getHostname(self, rest, hostname, url) { function getHostname(self, rest, hostname) {
for (let i = 0; i < hostname.length; ++i) { for (let i = 0; i < hostname.length; ++i) {
const code = hostname.charCodeAt(i); const code = hostname.charCodeAt(i);
const isValid = (code !== CHAR_FORWARD_SLASH && const isValid = (code !== CHAR_FORWARD_SLASH &&
@ -516,10 +516,6 @@ function getHostname(self, rest, hostname, url) {
code !== CHAR_COLON); code !== CHAR_COLON);
if (!isValid) { if (!isValid) {
// If leftover starts with :, then it represents an invalid port.
if (hostname.charCodeAt(i) === 58) {
throw new ERR_INVALID_URL(url);
}
self.hostname = hostname.slice(0, i); self.hostname = hostname.slice(0, i);
return `/${hostname.slice(i)}${rest}`; return `/${hostname.slice(i)}${rest}`;
} }

16
test/parallel/test-url-parse-format.js
View File

@ -865,6 +865,22 @@ const parseTests = {
href: 'http://a%22%20%3C\'b:b@cd/e?f' href: 'http://a%22%20%3C\'b:b@cd/e?f'
}, },
// Git urls used by npm
'git+ssh://git@github.com:npm/npm': {
protocol: 'git+ssh:',
slashes: true,
auth: 'git',
host: 'github.com',
port: null,
hostname: 'github.com',
hash: null,
search: null,
query: null,
pathname: '/:npm/npm',
path: '/:npm/npm',
href: 'git+ssh://git@github.com/:npm/npm'
},
'https://*': { 'https://*': {
protocol: 'https:', protocol: 'https:',
slashes: true, slashes: true,

12
test/parallel/test-url-parse-invalid-input.js
View File

@ -74,15 +74,3 @@ if (common.hasIntl) {
(e) => e.code === 'ERR_INVALID_URL', (e) => e.code === 'ERR_INVALID_URL',
'parsing http://\u00AD/bad.com/'); 'parsing http://\u00AD/bad.com/');
} }
{
const badURLs = [
'https://evil.com:.example.com',
'git+ssh://git@github.com:npm/npm',
];
badURLs.forEach((badURL) => {
assert.throws(() => { url.parse(badURL); },
(e) => e.code === 'ERR_INVALID_URL',
`parsing ${badURL}`);
});
}