From a2e19dd04521038bb454f8a6606673252d5dafa0 Mon Sep 17 00:00:00 2001
From: Yagiz Nizipli <yagiz@nizipli.com>
Date: Fri, 29 Apr 2022 12:54:38 -0400
Subject: [PATCH] url: should validate ipv4 part length

---
 src/node_url.cc                              | 5 +++++
 test/parallel/test-whatwg-url-constructor.js | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/src/node_url.cc b/src/node_url.cc
index b13c94f030fa59..34be8e77f042ba 100644
--- a/src/node_url.cc
+++ b/src/node_url.cc
@@ -432,6 +432,11 @@ void URLHost::ParseIPv4Host(const char* input, size_t length, bool* is_ipv4) {
   CHECK_GT(parts, 0);
   *is_ipv4 = true;
 
+  // If parts’s size is greater than 4, validation error, return failure.
+  if (parts > 4) {
+    return;
+  }
+
   // If any but the last item in numbers is greater than 255, return failure.
   // If the last item in numbers is greater than or equal to
   // 256^(5 - the number of items in numbers), return failure.
diff --git a/test/parallel/test-whatwg-url-constructor.js b/test/parallel/test-whatwg-url-constructor.js
index 3dc1c5986027e7..82972eddb5f8da 100644
--- a/test/parallel/test-whatwg-url-constructor.js
+++ b/test/parallel/test-whatwg-url-constructor.js
@@ -5,6 +5,7 @@ if (!common.hasIntl) {
   common.skip('missing Intl');
 }
 
+const assert = require('assert');
 const fixtures = require('../common/fixtures');
 const { test, assert_equals, assert_true, assert_throws } =
   require('../common/wpt').harness;
@@ -142,3 +143,5 @@ function runURLSearchParamTests() {
 runURLSearchParamTests()
 runURLConstructorTests()
 /* eslint-enable */
+
+assert.throws(() => new URL('https://256.256.256.256.256'), { code: 'ERR_INVALID_URL' });