Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possibly invalid checks for WHATWG URL in https.request #26198

Closed
JonathanWilbur opened this issue Feb 19, 2019 · 3 comments
Closed

Possibly invalid checks for WHATWG URL in https.request #26198

JonathanWilbur opened this issue Feb 19, 2019 · 3 comments
Labels
http Issues or PRs related to the http subsystem. whatwg-url Issues and PRs related to the WHATWG URL implementation.

Comments

@JonathanWilbur
Copy link

  • Version: v8.10.0 (The AWS runtime used in local Serverless Framework invocations.)
  • Platform: Windows Professional, 64-Bit
  • Subsystem: lib/internal/url.js

First off, I find it questionable that this is a bug at all; I am not partial to this getting resolved. I just wanted developers to take a second look at this to ensure that it is proper.

I ran into an unusual situation where a third-party library would attempt to clone a WHATWG URL object with Object.assign(), and since the properties like hostname or path are getters, they are not copied. (Actually, the MDN documentation says this is supposed to happen, but that is obviously what is happening.) The resulting clone, therefore, has no properties except the enumerable symbols of the URL class: URLContext and URLSearchParams. This makes it pass these checks in https.js to determine if the argument is of type URL:

  } else if (args[0] && args[0][searchParamsSymbol] &&
             args[0][searchParamsSymbol][searchParamsSymbol]) {
    // url.URL instance
    options = urlToOptions(args.shift());
  }

Then, when urlToOptions() is called with this deceptive object, a TypeError is thrown: TypeError: Cannot read property 'startsWith' of undefined. See urlToOptions() below:

function urlToOptions(url) {
  var options = {
    protocol: url.protocol,
    hostname: url.hostname.startsWith('[') ?
      url.hostname.slice(1, -1) :
      url.hostname,
    hash: url.hash,
    search: url.search,
    pathname: url.pathname,
    path: `${url.pathname}${url.search}`,
    href: url.href
  };
  if (url.port !== '') {
    options.port = Number(url.port);
  }
  if (url.username || url.password) {
    options.auth = `${url.username}:${url.password}`;
  }
  return options;
}

My question, then, is: is it proper for a function in the standard library to throw a TypeError as seen above? Should there be checks to ensure that all of the necessary properties are present in url before continuing to use them?
@JonathanWilbur
Copy link
Author

If you have further questions for me, it may be instructive to see the bug I wrote up for the particular third-party library: TooTallNate/node-agent-base#26.

This was referenced Feb 19, 2019
Closed
Open
@lpinca lpinca added whatwg-url Issues and PRs related to the WHATWG URL implementation. http Issues or PRs related to the http subsystem. labels Feb 20, 2019
@lpinca
Copy link
Member

lpinca commented Feb 20, 2019

I think we should have better validation to make sure that a proper URL instance is passed to it.

@cjihrig cjihrig mentioned this issue Feb 21, 2019
Merged
2 tasks
cjihrig added a commit to cjihrig/node that referenced this issue Feb 26, 2019
@cjihrig
url: handle quasi-WHATWG URLs in urlToOptions()
4900863 
PR-URL: nodejs#26226
Refs: nodejs#26198
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
addaleax pushed a commit that referenced this issue Mar 1, 2019
@cjihrig @addaleax
url: handle quasi-WHATWG URLs in urlToOptions()
0017855 
PR-URL: #26226
Refs: #26198
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
@lpinca
Copy link
Member

lpinca commented Mar 3, 2019

Fixed by #26226.

@lpinca lpinca closed this as completed Mar 3, 2019
@jacobjenks jacobjenks mentioned this issue Dec 18, 2019
Closed
2 tasks
@tetchel tetchel mentioned this issue Jul 28, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
http Issues or PRs related to the http subsystem. whatwg-url Issues and PRs related to the WHATWG URL implementation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lpinca @JonathanWilbur