Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

esm: improve validation of resolved URLs #41446

Merged

Conversation

JakobJingleheimer
Copy link
Member

Some ESM internals use type coercion on URL instances to get the href of the URL (ex `${url}`). This can result in 'undefined', which bypasses the current simple "is a string" validation. When that is bypassed, the resulting thrown error is a red herring, pointing to completely unrelated code.

Rather than merely switching those internals to use less errant alternatives, I think it's better to improve validation.

cc @nodejs/loaders @nodejs/modules

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/modules

@nodejs-github-bot nodejs-github-bot added esm Issues and PRs related to the ECMAScript Modules implementation. needs-ci PRs that need a full CI run. labels Jan 8, 2022
@JakobJingleheimer
Copy link
Member Author

JakobJingleheimer commented Jan 8, 2022

Windows test failures are due to a failed dependency install (unrelated to the change in this PR):

Error retrieving packages from source 'https://community.chocolatey.org/api/v2/':
 Could not connect to the feed specified at 'https://community.chocolatey.org/api/v2/'. Please verify that the package source (located in the Package Manager Settings) is valid and ensure your network connectivity.
nasm not installed. The package was not found with the source(s) listed.
 Source(s): 'https://community.chocolatey.org/api/v2/'
 NOTE: When you specify explicit sources, it overrides default sources.
If the package version is a prerelease and you didn't specify `--pre`,
 the package may not be found.
Please see https://docs.chocolatey.org/en-us/troubleshooting for more
 assistance.

Chocolatey installed 0/1 packages. 1 packages failed.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Failures
 - nasm - nasm not installed. The package was not found with the source(s)

@JakobJingleheimer JakobJingleheimer force-pushed the fix/esm-undefined-url-bypass branch from 44fcfd3 to ed970eb Compare January 8, 2022 20:24
@bmeck
Copy link
Member

bmeck commented Jan 10, 2022

So this has an effect of allowing sending any kind of object that can coerce to a string as the return value. I would prefer we didn't do this since it would make future changes to the API hard since virtually everything converts to a string.

@JakobJingleheimer
Copy link
Member Author

How would adding new URL(url) allow returning any object? It will explode for anything that is not a url string or stringifiable to a url string. We could maybe need to worry about something like an anchor element, in which case I could check both typeof url !== 'string' and new URL(url).

@bmeck
Copy link
Member

bmeck commented Jan 10, 2022

@JakobJingleheimer I'd agree it must turn into a URL compatible string, but anything could be that. For example a Buffer can do that. And I don't want a Buffer/SharedArrayBuffer to be able to do that.

@JakobJingleheimer
Copy link
Member Author

Would my proposal to restore the if (typeof url === 'string') check in addition to the new new URL(url) suffice?

@bmeck
Copy link
Member

bmeck commented Jan 10, 2022

sure, checking both seems fine. I'm trying to think of cases where people would even want to return a non-URL?? Can't think of any off the top of my head so it seems fine

@JakobJingleheimer
Copy link
Member Author

They're currently required to return a url, no?

@bmeck
Copy link
Member

bmeck commented Jan 10, 2022

@JakobJingleheimer yes, it currently is supposed to check for a stringified URL as a return

@nodejs-github-bot
Copy link
Collaborator

@JakobJingleheimer
Copy link
Member Author

@guybedford any thoughts, concerns, or objections?

Copy link
Contributor

@guybedford guybedford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems good to me, down to performance questions.

lib/internal/modules/esm/loader.js Show resolved Hide resolved
@GeoffreyBooth GeoffreyBooth added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. commit-queue Add this label to land a pull request using GitHub Actions. and removed needs-ci PRs that need a full CI run. labels Jan 18, 2022
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jan 19, 2022
@nodejs-github-bot nodejs-github-bot merged commit dbc6e39 into nodejs:master Jan 19, 2022
@nodejs-github-bot
Copy link
Collaborator

Landed in dbc6e39

@GeoffreyBooth GeoffreyBooth removed commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. author ready PRs that have at least one approval, no pending requests for changes, and a CI started. labels Jan 19, 2022
@GeoffreyBooth GeoffreyBooth deleted the fix/esm-undefined-url-bypass branch January 19, 2022 05:47
BethGriggs pushed a commit that referenced this pull request Jan 25, 2022
PR-URL: #41446
Reviewed-By: Bradley Farias <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Guy Bedford <[email protected]>
Linkgoron pushed a commit to Linkgoron/node that referenced this pull request Jan 31, 2022
PR-URL: nodejs#41446
Reviewed-By: Bradley Farias <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Guy Bedford <[email protected]>
danielleadams pushed a commit that referenced this pull request Feb 26, 2022
PR-URL: #41446
Reviewed-By: Bradley Farias <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Guy Bedford <[email protected]>
danielleadams pushed a commit that referenced this pull request Mar 14, 2022
PR-URL: #41446
Reviewed-By: Bradley Farias <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Guy Bedford <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
esm Issues and PRs related to the ECMAScript Modules implementation.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants