From 30b5b9af08bd9c78cdb19f393d18c31b348846d4 Mon Sep 17 00:00:00 2001
From: Yagiz Nizipli <yagiz@nizipli.com>
Date: Fri, 29 Apr 2022 12:54:38 -0400
Subject: [PATCH] url: should validate ipv4 part length

---
 src/node_url.cc                              | 1 +
 test/parallel/test-whatwg-url-constructor.js | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/src/node_url.cc b/src/node_url.cc
index b13c94f030fa59..af5c7c5d12fbc2 100644
--- a/src/node_url.cc
+++ b/src/node_url.cc
@@ -430,6 +430,7 @@ void URLHost::ParseIPv4Host(const char* input, size_t length, bool* is_ipv4) {
     pointer++;
   }
   CHECK_GT(parts, 0);
+  CHECK_LE(parts, 3);
   *is_ipv4 = true;
 
   // If any but the last item in numbers is greater than 255, return failure.
diff --git a/test/parallel/test-whatwg-url-constructor.js b/test/parallel/test-whatwg-url-constructor.js
index 3dc1c5986027e7..3105a9ec9b2ec1 100644
--- a/test/parallel/test-whatwg-url-constructor.js
+++ b/test/parallel/test-whatwg-url-constructor.js
@@ -142,3 +142,11 @@ function runURLSearchParamTests() {
 runURLSearchParamTests()
 runURLConstructorTests()
 /* eslint-enable */
+
+const message = {
+  code: 'ERR_INVALID_URL',
+  name: 'TypeError',
+  message: 'Invalid URL',
+};
+
+assert_throws(() => new URL('https://256.256.256.256.256'), message);