url: improve url.parse() compliance with WHATWG URL #45011
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Make the url.parse() hostname parsing closer to that of WHATWG URL parsing. This mitigates for cases where hostname spoofing becomes possible if your code checks the hostname using one API but the library you use to send the request uses the other API. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss).
nodejs-github-bot
added
needs-ci
github-actions
bot
removed
the
request-ci
|
Although this could be considered a semver-major breaking change, I'd argue this is a bugfix as the changed behavior would be very much for edge cases only and the current behavior seems not-intuitive and wrong. It is difficult to imagine a legitimate use case that would depend on it. Out of caution, though, we should run CITGM. |
RafaelGSS
approved these changes
Oct 15, 2022
|
@nodejs/url |
Trott
added
author ready
lpinca
reviewed
Oct 15, 2022
| code > 127; | ||
|
|
||
| // Invalid host character | ||
| const isValid = (code !== CHAR_FORWARD_SLASH && |
There was a problem hiding this comment.
I think this is now too lax. It allows code points like U+005E (^), or U+007C (|) forbidden by the URL Standard.
There was a problem hiding this comment.
Before and after this change url.parse() returns the same result for foo.com^bar.com and foo.com|bar.com. (I agree, though, that it would be better if it threw errors in those cases like it does for WHATWG URL, but that's probably a subsequent change. Small changes to url.parse() will make it easier to back out if we mess up and break something in the ecosystem.)
|
CITGM results look good to me |
Trott
added
author ready
nodejs-github-bot
removed
the
commit-queue
|
Landed in a8225dd |
RafaelGSS
pushed a commit
that referenced
this pull request
Nov 1, 2022
Make the url.parse() hostname parsing closer to that of WHATWG URL parsing. This mitigates for cases where hostname spoofing becomes possible if your code checks the hostname using one API but the library you use to send the request uses the other API. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss). PR-URL: #45011 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Merged
RafaelGSS
pushed a commit
that referenced
this pull request
Nov 10, 2022
Make the url.parse() hostname parsing closer to that of WHATWG URL parsing. This mitigates for cases where hostname spoofing becomes possible if your code checks the hostname using one API but the library you use to send the request uses the other API. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss). PR-URL: #45011 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
|
Could this be the cause of #45514? |
This comment was marked as spam.
This comment was marked as spam.
danielleadams
pushed a commit
that referenced
this pull request
Dec 30, 2022
Make the url.parse() hostname parsing closer to that of WHATWG URL parsing. This mitigates for cases where hostname spoofing becomes possible if your code checks the hostname using one API but the library you use to send the request uses the other API. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss). PR-URL: #45011 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
danielleadams
pushed a commit
that referenced
this pull request
Dec 30, 2022
Make the url.parse() hostname parsing closer to that of WHATWG URL parsing. This mitigates for cases where hostname spoofing becomes possible if your code checks the hostname using one API but the library you use to send the request uses the other API. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss). PR-URL: #45011 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
danielleadams
pushed a commit
that referenced
this pull request
Jan 3, 2023
Make the url.parse() hostname parsing closer to that of WHATWG URL parsing. This mitigates for cases where hostname spoofing becomes possible if your code checks the hostname using one API but the library you use to send the request uses the other API. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss). PR-URL: #45011 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make the url.parse() hostname parsing closer to that of WHATWG URL parsing. This mitigates for cases where hostname spoofing becomes possible if your code checks the hostname using one API but the library you use to send the request uses the other API.
Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss).