Skip to content

Commit

Permalink
doc: document security issues with url.parse()
Browse files Browse the repository at this point in the history
Fixes: #31279

PR-URL: #34226
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
  • Loading branch information
jasnell authored and MylesBorins committed Jul 16, 2020
1 parent 96ebd5f commit a6a656a
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions doc/api/url.md
Original file line number Diff line number Diff line change
Expand Up @@ -1244,6 +1244,12 @@ A `TypeError` is thrown if `urlString` is not a string.

A `URIError` is thrown if the `auth` property is present but cannot be decoded.

Use of the legacy `url.parse()` method is discouraged. Users should
use the WHATWG `URL` API. Because the `url.parse()` method uses a
lenient, non-standard algorithm for parsing URL strings, security
issues can be introduced. Specifically, issues with [host name spoofing][] and
incorrect handling of usernames and passwords have been identified.

### `url.resolve(from, to)`
<!-- YAML
added: v0.1.25
Expand Down Expand Up @@ -1361,6 +1367,7 @@ console.log(myURL.origin);
[WHATWG URL Standard]: https://url.spec.whatwg.org/
[WHATWG URL]: #url_the_whatwg_url_api
[examples of parsed URLs]: https://url.spec.whatwg.org/#example-url-parsing
[host name spoofing]: https://hackerone.com/reports/678487
[legacy `urlObject`]: #url_legacy_urlobject
[percent-encoded]: #whatwg-percent-encoding
[stable sorting algorithm]: https://en.wikipedia.org/wiki/Sorting_algorithm#Stability

0 comments on commit a6a656a

Please sign in to comment.