From 4197555ca9340baa0c881626e360aecbb5473c83 Mon Sep 17 00:00:00 2001
From: Darshan Sen <raisinten@gmail.com>
Date: Tue, 23 Mar 2021 22:23:11 +0530
Subject: [PATCH] url: forbid pipe in URL host

Fixes: https://github.com/nodejs/node/issues/37862

PR-URL: https://github.com/nodejs/node/pull/37877
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
---
 src/node_url.cc                               |  2 +-
 test/cctest/test_url.cc                       |  5 ++
 test/fixtures/wpt/README.md                   |  2 +-
 .../wpt/url/resources/urltestdata.json        | 68 ++++++++++++++++---
 test/fixtures/wpt/versions.json               |  2 +-
 5 files changed, 67 insertions(+), 12 deletions(-)

diff --git a/src/node_url.cc b/src/node_url.cc
index 399c37638ad56c..554ee855848cc7 100644
--- a/src/node_url.cc
+++ b/src/node_url.cc
@@ -208,7 +208,7 @@ CHAR_TEST(8, IsForbiddenHostCodePoint,
           ch == ' ' || ch == '#' || ch == '%' || ch == '/' ||
           ch == ':' || ch == '?' || ch == '@' || ch == '[' ||
           ch == '<' || ch == '>' || ch == '\\' || ch == ']' ||
-          ch == '^')
+          ch == '^' || ch == '|')
 
 // https://url.spec.whatwg.org/#windows-drive-letter
 TWO_CHAR_STRING_TEST(8, IsWindowsDriveLetter,
diff --git a/test/cctest/test_url.cc b/test/cctest/test_url.cc
index aa2b380dd11eda..f2430b3d506ac1 100644
--- a/test/cctest/test_url.cc
+++ b/test/cctest/test_url.cc
@@ -44,6 +44,11 @@ TEST_F(URLTest, Simple2) {
   EXPECT_EQ(simple.fragment(), "fragment");
 }
 
+TEST_F(URLTest, ForbiddenHostCodePoint) {
+  URL error("https://exa|mple.org:81/a/b/c?query#fragment");
+  EXPECT_TRUE(error.flags() & URL_FLAGS_FAILED);
+}
+
 TEST_F(URLTest, NoBase1) {
   URL error("123noscheme");
   EXPECT_TRUE(error.flags() & URL_FLAGS_FAILED);
diff --git a/test/fixtures/wpt/README.md b/test/fixtures/wpt/README.md
index 9474d8a1963b7e..37d52a069aebc9 100644
--- a/test/fixtures/wpt/README.md
+++ b/test/fixtures/wpt/README.md
@@ -21,7 +21,7 @@ Last update:
 - html/webappapis/timers: https://github.com/web-platform-tests/wpt/tree/5873f2d8f1/html/webappapis/timers
 - interfaces: https://github.com/web-platform-tests/wpt/tree/79fa4cf76e/interfaces
 - resources: https://github.com/web-platform-tests/wpt/tree/972ca5b669/resources
-- url: https://github.com/web-platform-tests/wpt/tree/33f2e3f2e7/url
+- url: https://github.com/web-platform-tests/wpt/tree/5eebfdb1f6/url
 
 [Web Platform Tests]: https://github.com/web-platform-tests/wpt
 [`git node wpt`]: https://github.com/nodejs/node-core-utils/blob/master/docs/git-node.md#git-node-wpt
diff --git a/test/fixtures/wpt/url/resources/urltestdata.json b/test/fixtures/wpt/url/resources/urltestdata.json
index b136020e8ba8ea..dfb226deacde13 100644
--- a/test/fixtures/wpt/url/resources/urltestdata.json
+++ b/test/fixtures/wpt/url/resources/urltestdata.json
@@ -4682,30 +4682,30 @@
   },
   "Allowed host code points",
   {
-    "input": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
+    "input": "http://\u001F!\"$&'()*+,-.;=_`{}~/",
     "base": "about:blank",
-    "href": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
-    "origin": "http://\u001F!\"$&'()*+,-.;=_`{|}~",
+    "href": "http://\u001F!\"$&'()*+,-.;=_`{}~/",
+    "origin": "http://\u001F!\"$&'()*+,-.;=_`{}~",
     "protocol": "http:",
     "username": "",
     "password": "",
-    "host": "\u001F!\"$&'()*+,-.;=_`{|}~",
-    "hostname": "\u001F!\"$&'()*+,-.;=_`{|}~",
+    "host": "\u001F!\"$&'()*+,-.;=_`{}~",
+    "hostname": "\u001F!\"$&'()*+,-.;=_`{}~",
     "port": "",
     "pathname": "/",
     "search": "",
     "hash": ""
   },
   {
-    "input": "sc://\u001F!\"$&'()*+,-.;=_`{|}~/",
+    "input": "sc://\u001F!\"$&'()*+,-.;=_`{}~/",
     "base": "about:blank",
-    "href": "sc://%1F!\"$&'()*+,-.;=_`{|}~/",
+    "href": "sc://%1F!\"$&'()*+,-.;=_`{}~/",
     "origin": "null",
     "protocol": "sc:",
     "username": "",
     "password": "",
-    "host": "%1F!\"$&'()*+,-.;=_`{|}~",
-    "hostname": "%1F!\"$&'()*+,-.;=_`{|}~",
+    "host": "%1F!\"$&'()*+,-.;=_`{}~",
+    "hostname": "%1F!\"$&'()*+,-.;=_`{}~",
     "port": "",
     "pathname": "/",
     "search": "",
@@ -5202,6 +5202,56 @@
     "search": "",
     "hash": ""
   },
+  {
+    "input": "file://%43%3A",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43%7C",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43|",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://C%7C",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43%7C/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "https://%43%7C/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "asdf://%43|/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "asdf://%43%7C/",
+    "base": "about:blank",
+    "href": "asdf://%43%7C/",
+    "origin": "null",
+    "protocol": "asdf:",
+    "username": "",
+    "password": "",
+    "host": "%43%7C",
+    "hostname": "%43%7C",
+    "port": "",
+    "pathname": "/",
+    "search": "",
+    "hash": ""
+  },
   "# file URLs relative to other file URLs (via https://github.com/jsdom/whatwg-url/pull/60)",
   {
     "input": "pix/submit.gif",
diff --git a/test/fixtures/wpt/versions.json b/test/fixtures/wpt/versions.json
index 800f07c607bf4b..b637bc8a8ab344 100644
--- a/test/fixtures/wpt/versions.json
+++ b/test/fixtures/wpt/versions.json
@@ -44,7 +44,7 @@
     "path": "resources"
   },
   "url": {
-    "commit": "33f2e3f2e759bd51ebf8e4b9a01b067bc8281c5c",
+    "commit": "5eebfdb1f68059549b3efff380dd190bc6078266",
     "path": "url"
   }
 }
\ No newline at end of file