From b555ee1730ee0e54af66974970e502a2dd7d6ceb Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Fri, 7 Oct 2022 20:58:04 -0700 Subject: [PATCH 1/8] doc: deprecate url.parse() This is a documentation-deprecation only and it is possible that it will not proceed to a runtime-deprecation any time in the foreseeable future. But url.parse() is not standardized and prone to errors that have security implications. Refs: https://github.com/nodejs/node/issues/44911#issuecomment-1271631345 --- doc/api/deprecations.md | 17 ++++++++++++++++- doc/api/url.md | 21 ++++++++------------- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index 2a26f80c2ee9ce..6d54cabeeeabd9 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3258,7 +3258,7 @@ changes: description: Runtime deprecation. --> -Type: Runtime. +Type: Runtime The implicit suppression of uncaught exceptions in Node-API callbacks is now deprecated. @@ -3267,6 +3267,21 @@ Set the flag [`--force-node-api-uncaught-exceptions-policy`][] to force Node.js to emit an [`'uncaughtException'`][] event if the exception is not handled in Node-API callbacks. +### DEP0169: Insecure url.parse() + + + +Type: Documentation-only + +[`url.parse()`][] behavior is not standardized and prone to errors that +have security implications. Use the [WHATWG URL API][] instead. + [Legacy URL API]: url.md#legacy-url-api [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3 diff --git a/doc/api/url.md b/doc/api/url.md index 1ba0ca9ddf3d32..f5d4fe24b98bec 100644 --- a/doc/api/url.md +++ b/doc/api/url.md @@ -27,7 +27,7 @@ The `node:url` module provides two APIs for working with URLs: a legacy API that is Node.js specific, and a newer API that implements the same [WHATWG URL Standard][] used by web browsers. -A comparison between the WHATWG and Legacy APIs is provided below. Above the URL +A comparison between the WHATWG and legacy APIs is provided below. Above the URL `'https://user:pass@sub.example.com:8080/p/a/t/h?query=string#hash'`, properties of an object returned by the legacy `url.parse()` are shown. Below it are properties of a WHATWG `URL` object. @@ -63,7 +63,7 @@ const myURL = new URL('https://user:pass@sub.example.com:8080/p/a/t/h?query=string#hash'); ``` -Parsing the URL string using the Legacy API: +Parsing the URL string using the legacy API: ```mjs import url from 'node:url'; @@ -1521,6 +1521,9 @@ The formatting process operates as follows: -> Stability: 3 - Legacy: Use the WHATWG URL API instead. +> Stability: 0 - Deprecated: Use the WHATWG URL API instead. * `urlString` {string} The URL string to parse. * `parseQueryString` {boolean} If `true`, the `query` property will always @@ -1562,16 +1565,8 @@ A `URIError` is thrown if the `auth` property is present but cannot be decoded. `url.parse()` uses a lenient, non-standard algorithm for parsing URL strings. It is prone to security issues such as [host name spoofing][] -and incorrect handling of usernames and passwords. - -`url.parse()` is an exception to most of the legacy APIs. Despite its security -concerns, it is legacy and not deprecated because it is: - -* Faster than the alternative WHATWG `URL` parser. -* Easier to use with regards to relative URLs than the alternative WHATWG `URL` API. -* Widely relied upon within the npm ecosystem. - -Use with caution. +and incorrect handling of usernames and passwords. Use the [WHATWG URL][] API +instead. ### `url.resolve(from, to)` From 8c3fd95e476b9f35fd6233085b6c17334114b22c Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Tue, 11 Oct 2022 11:20:46 -0700 Subject: [PATCH 2/8] fixup! doc: deprecate url.parse() --- doc/api/url.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/api/url.md b/doc/api/url.md index f5d4fe24b98bec..bfb0dcb3c3fbe0 100644 --- a/doc/api/url.md +++ b/doc/api/url.md @@ -1565,8 +1565,9 @@ A `URIError` is thrown if the `auth` property is present but cannot be decoded. `url.parse()` uses a lenient, non-standard algorithm for parsing URL strings. It is prone to security issues such as [host name spoofing][] -and incorrect handling of usernames and passwords. Use the [WHATWG URL][] API -instead. +and incorrect handling of usernames and passwords. Do not use with untrusted +input. CVEs are not issued for `url.parse()` vulnerabilities. Use the +[WHATWG URL][] API instead. ### `url.resolve(from, to)` From 8975b0036246c7a0f511091048232150cf8ce9b4 Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Tue, 11 Oct 2022 11:23:11 -0700 Subject: [PATCH 3/8] fixup! fixup! doc: deprecate url.parse() --- doc/api/deprecations.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index 6d54cabeeeabd9..4073c9a57521a1 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3280,7 +3280,8 @@ changes: Type: Documentation-only [`url.parse()`][] behavior is not standardized and prone to errors that -have security implications. Use the [WHATWG URL API][] instead. +have security implications. Use the [WHATWG URL API][] instead. CVEs are not +issued for `url.parse()` vulnerabilities. [Legacy URL API]: url.md#legacy-url-api [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf From 8829ec5df578f2da49cd857968beb53370e20ee5 Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Tue, 11 Oct 2022 11:24:54 -0700 Subject: [PATCH 4/8] fixup! fixup! fixup! doc: deprecate url.parse() --- doc/api/deprecations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index 4073c9a57521a1..160b532b2d57bb 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -2300,7 +2300,7 @@ changes: Type: Deprecation revoked -The [Legacy URL API][] is deprecated. This includes [`url.format()`][], +The [legacy URL API][] is deprecated. This includes [`url.format()`][], [`url.parse()`][], [`url.resolve()`][], and the [legacy `urlObject`][]. Please use the [WHATWG URL API][] instead. @@ -3283,7 +3283,6 @@ Type: Documentation-only have security implications. Use the [WHATWG URL API][] instead. CVEs are not issued for `url.parse()` vulnerabilities. -[Legacy URL API]: url.md#legacy-url-api [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3 [RFC 8247 Section 2.4]: https://www.rfc-editor.org/rfc/rfc8247#section-2.4 @@ -3430,6 +3429,7 @@ issued for `url.parse()` vulnerabilities. [from_arraybuffer]: buffer.md#static-method-bufferfromarraybuffer-byteoffset-length [from_string_encoding]: buffer.md#static-method-bufferfromstring-encoding [legacy `urlObject`]: url.md#legacy-urlobject +[legacy URL API]: url.md#legacy-url-api [static methods of `crypto.Certificate()`]: crypto.md#class-certificate [subpath exports]: packages.md#subpath-exports [subpath imports]: packages.md#subpath-imports From 500596623289c05caea600bcd8fb7de6b26fef67 Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Tue, 11 Oct 2022 11:25:53 -0700 Subject: [PATCH 5/8] fixup! fixup! fixup! fixup! doc: deprecate url.parse() --- doc/api/deprecations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index 160b532b2d57bb..1f9b0ebaa67d83 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3428,8 +3428,8 @@ issued for `url.parse()` vulnerabilities. [alloc_unsafe_size]: buffer.md#static-method-bufferallocunsafesize [from_arraybuffer]: buffer.md#static-method-bufferfromarraybuffer-byteoffset-length [from_string_encoding]: buffer.md#static-method-bufferfromstring-encoding -[legacy `urlObject`]: url.md#legacy-urlobject [legacy URL API]: url.md#legacy-url-api +[legacy `urlObject`]: url.md#legacy-urlobject [static methods of `crypto.Certificate()`]: crypto.md#class-certificate [subpath exports]: packages.md#subpath-exports [subpath imports]: packages.md#subpath-imports From e14b5a550de2ba34b3ee17d8f9b33dd2eb67271c Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Tue, 11 Oct 2022 11:29:57 -0700 Subject: [PATCH 6/8] fixup! fixup! fixup! fixup! fixup! doc: deprecate url.parse() --- doc/api/deprecations.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index 1f9b0ebaa67d83..3f7c40f8f78c93 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -2288,6 +2288,9 @@ future release. From 620a31daa23d283f24c035982e972aaa8409ee68 Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Tue, 11 Oct 2022 13:39:57 -0700 Subject: [PATCH 8/8] Update doc/api/url.md --- doc/api/url.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/url.md b/doc/api/url.md index bfb0dcb3c3fbe0..5745f82d1fe395 100644 --- a/doc/api/url.md +++ b/doc/api/url.md @@ -1522,7 +1522,7 @@ The formatting process operates as follows: added: v0.1.25 changes: - version: REPLACEME - pr-url: https://github.com/nodejs/node/pull/44918 + pr-url: https://github.com/nodejs/node/pull/44919 description: Documentation-only deprecation. - version: - v15.13.0