Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

url: fix url.parse() for @hostname #42136

Merged
merged 1 commit into from
Mar 2, 2022
Merged

url: fix url.parse() for @hostname #42136

merged 1 commit into from
Mar 2, 2022

Conversation

Trott
Copy link
Member

@Trott Trott commented Feb 26, 2022

Make url.parse() behave more like browsers and WHATWHG URL when dealing
with URLs that have the format http:@example.com. This is the same as
http://example.com.

@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. url Issues and PRs related to the legacy built-in url module. labels Feb 26, 2022
@Trott Trott added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 26, 2022
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 26, 2022
@nodejs-github-bot
Copy link
Collaborator

@RaisinTen
Copy link
Contributor

RaisinTen commented Feb 26, 2022

Instead of fixing the legacy api, shouldn't we help users migrate to the WHATWG url api which we recommend in the docs?

@lpinca
Copy link
Member

lpinca commented Feb 26, 2022

No objections but I think special casing @ does not make much sense. It should do the same for http:example.com, http:/example.com, http:\example.com, http://////////example.com, etc.

It should ignore all forward and backward slashes for special protocols.

@Trott
Copy link
Member Author

Trott commented Feb 26, 2022

Instead of fixing the legacy api, shouldn't we help users migrate to the WHATWG url api which we recommend in the docs?

I think we should do both if:

  • The bug in the legacy API could plausibly have security implications.
  • The bug in the legacy API can be fixed in an otherwise backward-compatible way.
  • There is someone willing to do the fix.

@Trott
Copy link
Member Author

Trott commented Feb 26, 2022

No objections but I think special casing @ does not make much sense. It should do the same for http:example.com, http:/example.com, http:\example.com, http://////////example.com, etc.

Oh, yes, very much so. Let me throw this into draft mode and see if I can address all those other kinds of edge cases without breaking existing tests/usage.

@Trott Trott marked this pull request as draft February 26, 2022 14:37
@RaisinTen
Copy link
Contributor

Instead of fixing the legacy api, shouldn't we help users migrate to the WHATWG url api which we recommend in the docs?

I think we should do both if:

  • The bug in the legacy API could plausibly have security implications.
  • The bug in the legacy API can be fixed in an otherwise backward-compatible way.
  • There is someone willing to do the fix.

According to

node/doc/api/url.md

Lines 1562 to 1565 in aa97c9d

use the WHATWG `URL` API. Because the `url.parse()` method uses a
lenient, non-standard algorithm for parsing URL strings, security
issues can be introduced. Specifically, issues with [host name spoofing][] and
incorrect handling of usernames and passwords have been identified.

it is a known source of bugs and fixing those would motivate users to keep using them and that defeats the purpose of labelling it as a legacy API, right? Why would people move to the WHATWG URL API if we accept fixes for the legacy API?

@Trott
Copy link
Member Author

Trott commented Feb 26, 2022

it is a known source of bugs and fixing those would motivate users to keep using them and that defeats the purpose of labelling it as a legacy API, right? Why would people move to the WHATWG URL API if we accept fixes for the legacy API?

A lot of people are using url.parse() through dependencies and aren't even aware they're using it.

We should not refuse fixes for an insecure API as a way of making users move to a newer API. (I'm not saying we have to do the fixes ourselves. But refusing to land a provided fix seems hostile.)

If we want to provide stronger encouragement for people to move off of url.parse() and to stop using libraries that use url.parse(), then we need to introduce a runtime deprecation or some other mechanism. Telling people that they should have read the documentation warning (which likely didn't exist when they wrote their code in the first place) is not how I want to see Node.js managed.

@Trott
Copy link
Member Author

Trott commented Feb 26, 2022

Oh, yes, very much so. Let me throw this into draft mode and see if I can address all those other kinds of edge cases without breaking existing tests/usage.

That will be a breaking change, so I'm going to open that as a follow-on PR and leave this one as-is.

@Trott Trott marked this pull request as ready for review February 26, 2022 23:49
@Trott
Copy link
Member Author

Trott commented Feb 26, 2022

Follow on PR with breaking changes: #42140

@RaisinTen
Copy link
Contributor

RaisinTen commented Feb 27, 2022

We should not refuse fixes for an insecure API as a way of making users move to a newer API. (I'm not saying we have to do the fixes ourselves. But refusing to land a provided fix seems hostile.)

Does that mean that url.parse() is supposed to be treated the same way as any non-legacy stable API until it gets runtime-deprecated?

@RaisinTen
Copy link
Contributor

That will be a breaking change, so I'm going to open that as a follow-on PR and leave this one as-is.

According to #42136 (comment), one of the scenarios when we should go ahead with the fix is when:

The bug in the legacy API can be fixed in an otherwise backward-compatible way.

but that fix is a breaking change. Isn't that contradictory?

@Trott
Copy link
Member Author

Trott commented Feb 27, 2022

Does that mean that url.parse() is supposed to be treated the same way as any non-legacy stable API until it gets runtime-deprecated?

Potential security problems in url.parse() tend to be answered with "don't use url.parse()" rather than "we need to do a security release and issue a CVE". So that's one difference in the way they are treated.

@Trott
Copy link
Member Author

Trott commented Feb 27, 2022

but that fix is a breaking change. Isn't that contradictory?

To be clear for anyone following along, we're talking about a different PR at this point. This question is about #42140. That PR is a breaking change, but this one is not.

That set of conditions was a sufficient set of conditions, not a necessary set of conditions. In other words, we can choose to break legacy APIs in major releases. There is a lot to weigh there: Disruption to users and the ecosystem vs. moving url.parse() to a more standardized (and arguably less bug-prone) state. I won't be surprised if we choose not to do it.

@RaisinTen
Copy link
Contributor

cc @nodejs/url

Copy link
Contributor

@RaisinTen RaisinTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me, approving!

@Trott
Copy link
Member Author

Trott commented Mar 2, 2022

@nodejs/url Anyone want to be the second approval for this?

@Trott
Copy link
Member Author

Trott commented Mar 2, 2022

Please don't add the commit-queue label to this one. I'll need to edit the commit message before landing to add some information. Thanks!

Make url.parse() behave more like browsers and WHATWHG URL when dealing
with URLs that of the format `http:@example.com`. This is the same as
`http://example.com`.

This issue was reported by P0cas. https://github.com/P0cas

PR-URL: nodejs#42136
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
@Trott Trott merged commit 010cb71 into nodejs:master Mar 2, 2022
@Trott
Copy link
Member Author

Trott commented Mar 2, 2022

Landed in 010cb71

@Trott Trott deleted the url-parse-at branch March 2, 2022 22:36
sxa pushed a commit to sxa/node that referenced this pull request Mar 7, 2022
Make url.parse() behave more like browsers and WHATWHG URL when dealing
with URLs that of the format `http:@example.com`. This is the same as
`http://example.com`.

This issue was reported by P0cas. https://github.com/P0cas

PR-URL: nodejs#42136
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
@sxa sxa mentioned this pull request Mar 8, 2022
@arcanis
Copy link
Contributor

arcanis commented Mar 10, 2022

This diff seems to break Yarn classic which does url.resolve('https://registry.npmjs.org', '@foo/bar').

Node 17.6: https://registry.npmjs.org/@foo/bar
Node 17.7: https://foo/bar

@aduh95
Copy link
Contributor

aduh95 commented Mar 10, 2022

Should we revert?

@arcanis
Copy link
Contributor

arcanis commented Mar 10, 2022

I've landed a fix in Yarn (url.resolve(..., './@foo/bar')), but it'll take time until people upgrade, and the error message will be very confusing in the meantime. I'd personally suggest to either revert or special-case this pattern (resolve called with @ as leading character in the subpath components), if possible 😕

@aduh95
Copy link
Contributor

aduh95 commented Mar 10, 2022

PR to revert: #42280

@arcanis FYI adding Yarn (both classic and Berry) to https://github.com/nodejs/citgm could help catch this kind of regressions before we release new versions of Node.js, I think it's worth considering. (and if Yarn is already on the CITGM list, we'd need to investigate why the failure wasn't caught up on the release run https://ci.nodejs.org/job/citgm-smoker/2869/)

@unerh
Copy link

unerh commented Apr 6, 2022

Hi,
Are there any intentions in pushing this to v14 and v16, as Snyk scan reports a vulnerability on this:
https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-2440551

and the preference in my org is to use LTS versions.
Thanks

@aduh95
Copy link
Contributor

aduh95 commented Apr 6, 2022

There’s no intention of backporting this to LTS releases, it’s a breaking change that has been reverted, and that we are not interested in landing anymore. Snyk report is wrong when it says Node.js 17.7.1 is not affected (it is, we have reverted the fix on that version), and is wrong when it calls it a vulnerability.

FYI that Snyk report is only about the legacy URL parser, if you are using the WHATWG one, you can safely ignore that quirk.

@mcollina
Copy link
Member

mcollina commented Apr 6, 2022

I would also note that this is not a vulnerability. We have analyzed this in great detail and it's not a problem.

xtx1130 pushed a commit to xtx1130/node that referenced this pull request Apr 25, 2022
Make url.parse() behave more like browsers and WHATWHG URL when dealing
with URLs that of the format `http:@example.com`. This is the same as
`http://example.com`.

This issue was reported by P0cas. https://github.com/P0cas

PR-URL: nodejs#42136
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-ci PRs that need a full CI run. url Issues and PRs related to the legacy built-in url module.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants