Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent URL pollution #1243

Merged
merged 10 commits into from
May 10, 2020
Merged

Prevent URL pollution #1243

merged 10 commits into from
May 10, 2020

Conversation

Giotino
Copy link
Collaborator

@Giotino Giotino commented May 10, 2020

Checklist

  • I have read the documentation.
  • I have included a pull request description of my changes.
  • I have included some tests.

Keeping in mind that

Properties from options will override properties in the parsed url.

URL's username ans password are overwritten only if they're not empty (or null) in options.

I'm going to add some tests.

Fixes #1235

Fixed username and password not copied to options if only in URL
@Giotino
Copy link
Collaborator Author

Giotino commented May 10, 2020

Added some tests

@Giotino
Copy link
Collaborator Author

Giotino commented May 10, 2020

There's no documentation about if username and password should be replaced (or merged) together or separately.

There's a test response contains got options which fails when the username and password are not replaced together.
The problem is that the URL (only if an object, not a string) from the given ExtendedGot is modified by each call and, as it's an object (reference), it's the same object for each call.

Is this an expected behavior? If not the URL should be deep-copied on each call to prevent pollution.

https://github.com/sindresorhus/got/blob/master/source/core/index.ts#L583

Is only a 1 level deep copy, url is copied as a reference that is not enough.

My suggestion is to add something like

if (is.urlInstance(options.url)) {
  options.url = new URL(options.url.toString());
}

after line 587

@szmarczak
Copy link
Collaborator

There's no documentation about if username and password should be replaced (or merged) together or separately.

Seperately. E.g. a user can have an empty password.

@szmarczak
Copy link
Collaborator

If not the URL should be deep-copied on each call to prevent pollution.

Not exactly object copy, but new URL(url).

@szmarczak
Copy link
Collaborator

This also needs a separate test.

@Giotino
Copy link
Collaborator Author

Giotino commented May 10, 2020

If not the URL should be deep-copied on each call to prevent pollution.

Not exactly object copy, but new URL(url).

Yes, I'm doing it

@Giotino
Copy link
Collaborator Author

Giotino commented May 10, 2020

Check this last commit

@szmarczak
Copy link
Collaborator

Hint: git pull origin master --rebase. So you don't need to commit the Merge branch 'master' into ....

@szmarczak
Copy link
Collaborator

This just needs a separate test to check against the pollution and we're good to go! :)

@Giotino
Copy link
Collaborator Author

Giotino commented May 10, 2020

Hint: git pull origin master --rebase. So you don't need to commit the Merge branch 'master' into ....

Let's say I need to get used to git... :)

BTW, I added a test, it's like the one which was failing, but simpler

@szmarczak
Copy link
Collaborator

Let's say I need to get used to git... :)

I've been there too ;)

BTW, I added a test, it's like the one which was failing, but simpler

Let me see it.

@Giotino Giotino changed the title Do not assign username and password to URL if empty Prevent URL pollution on extended got May 10, 2020
@szmarczak szmarczak changed the title Prevent URL pollution on extended got Prevent URL pollution May 10, 2020
@szmarczak szmarczak merged commit 7dbb9ee into sindresorhus:master May 10, 2020
@szmarczak
Copy link
Collaborator

Good job! Thanks 🙌

@Giotino Giotino deleted the issue-1235 branch May 10, 2020 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

got 11.x strips username and password from WHATWG URLs
2 participants