When constructing a URL, 256 is sometimes accepted as part of an IPv4 address.

[danfuzz]

Version

v21.4.0

Platform

Darwin chug.lan 22.6.0 Darwin Kernel Version 22.6.0: Tue Nov 7 21:42:27 PST 2023; root:xnu-8796.141.3.702.9~2/RELEASE_ARM64_T8103 arm64

Subsystem

url

What steps will reproduce the bug?

echo 'console.log(new URL("http://1.1.1.256"))' | node -

How often does it reproduce? Is there a required condition?

Always reproducible.

What is the expected behavior? Why is that the expected behavior?

Expected to throw an error, e.g., if the 256 isn't the final component, it throws like this:

$ echo 'console.log(new URL("http://1.1.256.1"))' | node -
node:internal/url:787
    this.#updateContext(bindingUrl.parse(input, base));
                                   ^

TypeError: Invalid URL
    at new URL (node:internal/url:787:36)
    [...]
    at Socket.emit (node:events:531:35) {
  code: 'ERR_INVALID_URL',
  input: 'http://1.1.256.1'
}

What do you see instead?

$ echo 'console.log(new URL("http://1.1.1.256"))' | node -
URL {
  href: 'http://1.1.1.256/',
  origin: 'http://1.1.1.256',
  protocol: 'http:',
  username: '',
  password: '',
  host: '1.1.1.256',
  hostname: '1.1.1.256',
  port: '',
  pathname: '/',
  search: '',
  searchParams: URLSearchParams {},
  hash: ''
}

Additional information

Pretty sure this is considered a syntax error by RFC3986, which defines IPv4 address components like this:

IPv4address   = dec-octet "." dec-octet "." dec-octet "." dec-octet

dec-octet     = DIGIT                 ; 0-9
              / %x31-39 DIGIT         ; 10-99
              / "1" 2DIGIT            ; 100-199
              / "2" %x30-34 DIGIT     ; 200-249
              / "25" %x30-35          ; 250-255

[aduh95]

@nodejs/url

[ChenKS12138]

It seems to be a bug of ada-url/ada that not doing well with boundary case.

see ada-url/ada#581.

[marco-ippolito]

Fixed on main by #51542, should be included in the next release and backported