-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
url: fix url.parse() for @hostname #42136
Conversation
Instead of fixing the legacy api, shouldn't we help users migrate to the WHATWG url api which we recommend in the docs? |
No objections but I think special casing It should ignore all forward and backward slashes for special protocols. |
I think we should do both if:
|
Oh, yes, very much so. Let me throw this into draft mode and see if I can address all those other kinds of edge cases without breaking existing tests/usage. |
According to Lines 1562 to 1565 in aa97c9d
it is a known source of bugs and fixing those would motivate users to keep using them and that defeats the purpose of labelling it as a legacy API, right? Why would people move to the WHATWG URL API if we accept fixes for the legacy API? |
A lot of people are using We should not refuse fixes for an insecure API as a way of making users move to a newer API. (I'm not saying we have to do the fixes ourselves. But refusing to land a provided fix seems hostile.) If we want to provide stronger encouragement for people to move off of |
That will be a breaking change, so I'm going to open that as a follow-on PR and leave this one as-is. |
Follow on PR with breaking changes: #42140 |
Does that mean that |
According to #42136 (comment), one of the scenarios when we should go ahead with the fix is when:
but that fix is a breaking change. Isn't that contradictory? |
Potential security problems in |
To be clear for anyone following along, we're talking about a different PR at this point. This question is about #42140. That PR is a breaking change, but this one is not. That set of conditions was a sufficient set of conditions, not a necessary set of conditions. In other words, we can choose to break legacy APIs in major releases. There is a lot to weigh there: Disruption to users and the ecosystem vs. moving |
cc @nodejs/url |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems reasonable to me, approving!
@nodejs/url Anyone want to be the second approval for this? |
Please don't add the |
Make url.parse() behave more like browsers and WHATWHG URL when dealing with URLs that of the format `http:@example.com`. This is the same as `http://example.com`. This issue was reported by P0cas. https://github.com/P0cas PR-URL: nodejs#42136 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
Landed in 010cb71 |
Make url.parse() behave more like browsers and WHATWHG URL when dealing with URLs that of the format `http:@example.com`. This is the same as `http://example.com`. This issue was reported by P0cas. https://github.com/P0cas PR-URL: nodejs#42136 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This diff seems to break Yarn classic which does Node 17.6: |
Should we revert? |
I've landed a fix in Yarn ( |
PR to revert: #42280 @arcanis FYI adding Yarn (both classic and Berry) to https://github.com/nodejs/citgm could help catch this kind of regressions before we release new versions of Node.js, I think it's worth considering. (and if Yarn is already on the CITGM list, we'd need to investigate why the failure wasn't caught up on the release run https://ci.nodejs.org/job/citgm-smoker/2869/) |
Hi, and the preference in my org is to use LTS versions. |
There’s no intention of backporting this to LTS releases, it’s a breaking change that has been reverted, and that we are not interested in landing anymore. Snyk report is wrong when it says Node.js 17.7.1 is not affected (it is, we have reverted the fix on that version), and is wrong when it calls it a vulnerability. FYI that Snyk report is only about the legacy URL parser, if you are using the WHATWG one, you can safely ignore that quirk. |
I would also note that this is not a vulnerability. We have analyzed this in great detail and it's not a problem. |
Make url.parse() behave more like browsers and WHATWHG URL when dealing with URLs that of the format `http:@example.com`. This is the same as `http://example.com`. This issue was reported by P0cas. https://github.com/P0cas PR-URL: nodejs#42136 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
Make url.parse() behave more like browsers and WHATWHG URL when dealing
with URLs that have the format
http:@example.com
. This is the same ashttp://example.com
.