Revert "url: improve port validation"

This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: nodejs#45514 Refs: nodejs#45012 PR-URL: nodejs#45517 Fixes: nodejs#45514 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
marco-ippolito · Nov 23, 2022 · bd960bf · bd960bf
1 parent 9ae2a5f
commit bd960bf
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 18 deletions.
diff --git a/lib/url.js b/lib/url.js
@@ -387,7 +387,7 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
 
     // validate a little.
     if (!ipv6Hostname) {
-      rest = getHostname(this, rest, hostname, url);
+      rest = getHostname(this, rest, hostname);
     }
 
     if (this.hostname.length > hostnameMaxLen) {
@@ -506,7 +506,7 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
   return this;
 };
 
-function getHostname(self, rest, hostname, url) {
+function getHostname(self, rest, hostname) {
   for (let i = 0; i < hostname.length; ++i) {
     const code = hostname.charCodeAt(i);
     const isValid = (code !== CHAR_FORWARD_SLASH &&
@@ -516,10 +516,6 @@ function getHostname(self, rest, hostname, url) {
                      code !== CHAR_COLON);
 
     if (!isValid) {
-      // If leftover starts with :, then it represents an invalid port.
-      if (hostname.charCodeAt(i) === 58) {
-        throw new ERR_INVALID_URL(url);
-      }
       self.hostname = hostname.slice(0, i);
       return `/${hostname.slice(i)}${rest}`;
     }

diff --git a/test/parallel/test-url-parse-format.js b/test/parallel/test-url-parse-format.js
@@ -865,6 +865,22 @@ const parseTests = {
     href: 'http://a%22%20%3C\'b:b@cd/e?f'
   },
 
+  // Git urls used by npm
+  'git+ssh://[email protected]:npm/npm': {
+    protocol: 'git+ssh:',
+    slashes: true,
+    auth: 'git',
+    host: 'github.com',
+    port: null,
+    hostname: 'github.com',
+    hash: null,
+    search: null,
+    query: null,
+    pathname: '/:npm/npm',
+    path: '/:npm/npm',
+    href: 'git+ssh://[email protected]/:npm/npm'
+  },
+
   'https://*': {
     protocol: 'https:',
     slashes: true,

diff --git a/test/parallel/test-url-parse-invalid-input.js b/test/parallel/test-url-parse-invalid-input.js
@@ -74,15 +74,3 @@ if (common.hasIntl) {
                 (e) => e.code === 'ERR_INVALID_URL',
                 'parsing http://\u00AD/bad.com/');
 }
-
-{
-  const badURLs = [
-    'https://evil.com:.example.com',
-    'git+ssh://[email protected]:npm/npm',
-  ];
-  badURLs.forEach((badURL) => {
-    assert.throws(() => { url.parse(badURL); },
-                  (e) => e.code === 'ERR_INVALID_URL',
-                  `parsing ${badURL}`);
-  });
-}