-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possibly invalid checks for WHATWG URL in https.request #26198
Labels
http
Issues or PRs related to the http subsystem.
whatwg-url
Issues and PRs related to the WHATWG URL implementation.
Comments
If you have further questions for me, it may be instructive to see the bug I wrote up for the particular third-party library: TooTallNate/node-agent-base#26. |
This was referenced Feb 19, 2019
lpinca
added
whatwg-url
Issues and PRs related to the WHATWG URL implementation.
http
Issues or PRs related to the http subsystem.
labels
Feb 20, 2019
I think we should have better validation to make sure that a proper |
2 tasks
cjihrig
added a commit
to cjihrig/node
that referenced
this issue
Feb 26, 2019
PR-URL: nodejs#26226 Refs: nodejs#26198 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Gus Caplan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]>
addaleax
pushed a commit
that referenced
this issue
Mar 1, 2019
PR-URL: #26226 Refs: #26198 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Gus Caplan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]>
Fixed by #26226. |
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
http
Issues or PRs related to the http subsystem.
whatwg-url
Issues and PRs related to the WHATWG URL implementation.
lib/internal/url.js
First off, I find it questionable that this is a bug at all; I am not partial to this getting resolved. I just wanted developers to take a second look at this to ensure that it is proper.
I ran into an unusual situation where a third-party library would attempt to clone a WHATWG
URL
object withObject.assign()
, and since the properties likehostname
orpath
are getters, they are not copied. (Actually, the MDN documentation says this is supposed to happen, but that is obviously what is happening.) The resulting clone, therefore, has no properties except the enumerable symbols of theURL
class:URLContext
andURLSearchParams
. This makes it pass these checks inhttps.js
to determine if the argument is of typeURL
:Then, when
urlToOptions()
is called with this deceptive object, aTypeError
is thrown:TypeError: Cannot read property 'startsWith' of undefined
. SeeurlToOptions()
below:My question, then, is: is it proper for a function in the standard library to throw a TypeError as seen above? Should there be checks to ensure that all of the necessary properties are present in
url
before continuing to use them?The text was updated successfully, but these errors were encountered: