Skip to content

Commit

Permalink
url: avoid hostname spoofing w/ javascript protocol
Browse files Browse the repository at this point in the history
CVE-2018-12123

Fixes: nodejs-private/security#205
PR-URL: nodejs-private/node-private#145
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
  • Loading branch information
mcollina authored and rvagg committed Nov 27, 2018
1 parent 618eebd commit 9c268d0
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 2 deletions.
4 changes: 2 additions & 2 deletions lib/url.js
Original file line number Diff line number Diff line change
Expand Up @@ -202,13 +202,13 @@ Url.prototype.parse = function(url, parseQueryString, slashesDenoteHost) {
if (slashesDenoteHost || proto || hostPattern.test(rest)) {
var slashes = rest.charCodeAt(0) === 47/*/*/ &&
rest.charCodeAt(1) === 47/*/*/;
if (slashes && !(proto && hostlessProtocol[proto])) {
if (slashes && !(proto && hostlessProtocol[lowerProto])) {
rest = rest.slice(2);
this.slashes = true;
}
}

if (!hostlessProtocol[proto] &&
if (!hostlessProtocol[lowerProto] &&
(slashes || (proto && !slashedProtocol[proto]))) {

// there's a hostname.
Expand Down
33 changes: 33 additions & 0 deletions test/parallel/test-url.js
Original file line number Diff line number Diff line change
Expand Up @@ -903,6 +903,39 @@ const parseTests = {
hostname: 'www.example.com',
pathname: '/',
path: '/'
},

// The following two URLs are the same, but they differ for
// a capital A: it is important that we verify that the protocol
// is checked in a case-insensitive manner.
'javascript:alert(1);a=\x27@white-listed.com\x27': {
protocol: 'javascript:',
slashes: null,
auth: null,
host: null,
port: null,
hostname: null,
hash: null,
search: null,
query: null,
pathname: "alert(1);a='@white-listed.com'",
path: "alert(1);a='@white-listed.com'",
href: "javascript:alert(1);a='@white-listed.com'"
},

'javAscript:alert(1);a=\x27@white-listed.com\x27': {
protocol: 'javascript:',
slashes: null,
auth: null,
host: null,
port: null,
hostname: null,
hash: null,
search: null,
query: null,
pathname: "alert(1);a='@white-listed.com'",
path: "alert(1);a='@white-listed.com'",
href: "javascript:alert(1);a='@white-listed.com'"
}
};

Expand Down

0 comments on commit 9c268d0

Please sign in to comment.