url: avoid hostname spoofing w/ javascript protocol

CVE-2018-12123

Fixes: nodejs-private/security#205
PR-URL: nodejs-private/node-private#145
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

lib/url.js

@@ -202,13 +202,13 @@ Url.prototype.parse = function(url, parseQueryString, slashesDenoteHost) {
   if (slashesDenoteHost || proto || hostPattern.test(rest)) {
     var slashes = rest.charCodeAt(0) === 47/*/*/ &&
                   rest.charCodeAt(1) === 47/*/*/;
-    if (slashes && !(proto && hostlessProtocol[proto])) {
+    if (slashes && !(proto && hostlessProtocol[lowerProto])) {
       rest = rest.slice(2);
       this.slashes = true;
     }
   }
 
-  if (!hostlessProtocol[proto] &&
+  if (!hostlessProtocol[lowerProto] &&
       (slashes || (proto && !slashedProtocol[proto]))) {
 
     // there's a hostname.

test/parallel/test-url.js

@@ -903,6 +903,39 @@ const parseTests = {
     hostname: 'www.example.com',
     pathname: '/',
     path: '/'
+  },
+
+  // The following two URLs are the same, but they differ for
+  // a capital A: it is important that we verify that the protocol
+  // is checked in a case-insensitive manner.
+  'javascript:alert(1);a=\x27@white-listed.com\x27': {
+    protocol: 'javascript:',
+    slashes: null,
+    auth: null,
+    host: null,
+    port: null,
+    hostname: null,
+    hash: null,
+    search: null,
+    query: null,
+    pathname: "alert(1);a='@white-listed.com'",
+    path: "alert(1);a='@white-listed.com'",
+    href: "javascript:alert(1);a='@white-listed.com'"
+  },
+
+  'javAscript:alert(1);a=\x27@white-listed.com\x27': {
+    protocol: 'javascript:',
+    slashes: null,
+    auth: null,
+    host: null,
+    port: null,
+    hostname: null,
+    hash: null,
+    search: null,
+    query: null,
+    pathname: "alert(1);a='@white-listed.com'",
+    path: "alert(1);a='@white-listed.com'",
+    href: "javascript:alert(1);a='@white-listed.com'"
   }
 };