-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
url: forbid certain confusable changes from being introduced by toASCII #38631
Conversation
// spoofing. Rather than moving the non-host part to the pathname as | ||
// we've done in getHostname, throw an exception to convey its | ||
// severity. | ||
throw new ERR_INVALID_URL(url); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error code is up for debate here. url.parse itself previously never threw any exception, so there's no precedent. ERR_INVALID_URL is what's used in the WHATWG URL API, but is confusingly extended from TypeError. Another option ERR_INVALID_URI is extended from URIError, but doesn't have the nice err.input
property that ERR_INVALID_URL has.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fwiw, the TypeError
bit for WHATWG URL is actually required by the spec ... see https://url.spec.whatwg.org/#url-class
I'm fine with using ERR_INVALID_URL
here and adding the error.
This comment has been minimized.
This comment has been minimized.
Hello @nodejs/tsc, this is technically a breaking change so your reviews would be appreciated. A description and rationale for this change can be found in the PR description: #38631 (comment). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with or without comment clarification
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
The legacy url.parse() function attempts to convert Unicode domains (IDNs) into their ASCII/Punycode form through the use of the toASCII function. However, toASCII can introduce or remove various characters that at best invalidate the parsed URL, and at worst cause hostname spoofing: url.parse('http://bad.c℀.good.com/').href === 'http://bad.ca/c.good.com/' (from [1]) url.parse('http://\u00AD/bad.com').href === 'http:///bad.com/' While changes to the legacy URL parser are discouraged in general, the security implications here outweigh the desire for strict compatibility. This is since this commit only changes behavior when non-ASCII characters appear in the hostname, an unusual situation for most use cases. Additionally, despite the availability of the WHATWG URL API, url.parse remain widely deployed in the Node.js ecosystem, as exemplified by the recent un-deprecation of the legacy API. This change is similar in spirit to CPython 3.8's change [2] fixing bpo-36216 [3] aka CVE-2019-9636, which also occurred despite potential compatibility concerns. [1]: https://hackerone.com/reports/678487 [2]: python/cpython@16e6f7d [3]: https://bugs.python.org/issue36216
Landed in 70157b9 |
The legacy url.parse() function attempts to convert Unicode domains (IDNs) into their ASCII/Punycode form through the use of the toASCII function. However, toASCII can introduce or remove various characters that at best invalidate the parsed URL, and at worst cause hostname spoofing: url.parse('http://bad.c℀.good.com/').href === 'http://bad.ca/c.good.com/' (from [1]) url.parse('http://\u00AD/bad.com').href === 'http:///bad.com/' While changes to the legacy URL parser are discouraged in general, the security implications here outweigh the desire for strict compatibility. This is since this commit only changes behavior when non-ASCII characters appear in the hostname, an unusual situation for most use cases. Additionally, despite the availability of the WHATWG URL API, url.parse remain widely deployed in the Node.js ecosystem, as exemplified by the recent un-deprecation of the legacy API. This change is similar in spirit to CPython 3.8's change [2] fixing bpo-36216 [3] aka CVE-2019-9636, which also occurred despite potential compatibility concerns. [1]: https://hackerone.com/reports/678487 [2]: python/cpython@16e6f7d [3]: https://bugs.python.org/issue36216 PR-URL: #38631 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Joyee Cheung <[email protected]>
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - v8: remove --harmony-top-level-await (Geoffrey Booth) [#40226] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for th `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - v8: remove --harmony-top-level-await (Geoffrey Booth) [#40226] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. While OpenSSL 3.0 APIs should be mostly compatible with those provided by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to tightened restrictions on the allowed algorithms and key sizes. If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option, `--openssl-legacy-provider`, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] Contributed in #38512, #40478 V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - deps: upgrade npm to 8.1.0 (npm team) [#40463] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. While OpenSSL 3.0 APIs should be mostly compatible with those provided by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to tightened restrictions on the allowed algorithms and key sizes. If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option, `--openssl-legacy-provider`, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] Contributed in #38512, #40478 V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - deps: upgrade npm to 8.1.0 (npm team) [#40463] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. While OpenSSL 3.0 APIs should be mostly compatible with those provided by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to tightened restrictions on the allowed algorithms and key sizes. If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option, `--openssl-legacy-provider`, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] Contributed in #38512, #40478 V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - deps: upgrade npm to 8.1.0 (npm team) [#40463] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
The legacy url.parse() function attempts to convert Unicode domains (IDNs) into their ASCII/Punycode form through the use of the toASCII function. However, toASCII can introduce or remove various characters that at best invalidate the parsed URL, and at worst cause hostname spoofing:
While changes to the legacy URL parser are discouraged in general, the security implications here outweigh the desire for strict compatibility. This is since this commit only changes behavior when non-ASCII characters appear in the hostname, an unusual situation for most use cases. Additionally, despite the availability of the WHATWG URL API, url.parse remain widely deployed in the Node.js ecosystem, as exemplified by the recent un-deprecation of the legacy API.
This change is similar in spirit to CPython 3.8's change (python/cpython@16e6f7d) fixing bpo-36216 aka CVE-2019-9636, which also occurred despite potential compatibility concerns.
See also: #23694, #31279, https://hackerone.com/reports/678487, and https://hackerone.com/reports/738333
cc @nodejs/url