From 76eeac3afb082b2282329964b7001858d3bf0c40 Mon Sep 17 00:00:00 2001
From: Yagiz Nizipli <yagiz@nizipli.com>
Date: Fri, 29 Apr 2022 12:54:38 -0400
Subject: [PATCH] url: should validate ipv4 part length

---
 src/node_url.cc                              | 1 +
 test/parallel/test-whatwg-url-constructor.js | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/src/node_url.cc b/src/node_url.cc
index b13c94f030fa59..af5c7c5d12fbc2 100644
--- a/src/node_url.cc
+++ b/src/node_url.cc
@@ -430,6 +430,7 @@ void URLHost::ParseIPv4Host(const char* input, size_t length, bool* is_ipv4) {
     pointer++;
   }
   CHECK_GT(parts, 0);
+  CHECK_LE(parts, 3);
   *is_ipv4 = true;
 
   // If any but the last item in numbers is greater than 255, return failure.
diff --git a/test/parallel/test-whatwg-url-constructor.js b/test/parallel/test-whatwg-url-constructor.js
index 3dc1c5986027e7..82972eddb5f8da 100644
--- a/test/parallel/test-whatwg-url-constructor.js
+++ b/test/parallel/test-whatwg-url-constructor.js
@@ -5,6 +5,7 @@ if (!common.hasIntl) {
   common.skip('missing Intl');
 }
 
+const assert = require('assert');
 const fixtures = require('../common/fixtures');
 const { test, assert_equals, assert_true, assert_throws } =
   require('../common/wpt').harness;
@@ -142,3 +143,5 @@ function runURLSearchParamTests() {
 runURLSearchParamTests()
 runURLConstructorTests()
 /* eslint-enable */
+
+assert.throws(() => new URL('https://256.256.256.256.256'), { code: 'ERR_INVALID_URL' });