Merge commit from fork

* fix: reject malformed authority and port normalization

* test: add regression tests for encoded authority delimiters in host

Covers %40, %3A, %2F, %23, %3F in host across normalize, parse,
equal, resolve, and serialize. Includes cross-scheme and layered
encoding vectors.

* fix: re-escape gen-delims in host after unescape to prevent authority change

unescape() decodes all percent-encoded characters including reserved
authority delimiters (%40->@, %3A->:, %2F->/, %3F->?, %23->#).
Per RFC 3986 these must stay encoded in the host component.

Adds reescapeHostDelimiters() and applies it at the three call sites
where unescape() is used on the host: parse(), normalizeComponentEncoding(),
and recomposeAuthority().

* refactor: track malformed authority status during parse

* refactor: centralize malformed input handling

---------

Co-authored-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>

Author: mcollina

README.md

@@ -12,6 +12,8 @@ Dependency-free RFC 3986 URI toolbox.
 
 All of the above functions can accept an additional options argument that is an object that can contain one or more of the following properties:
 
+Malformed authorities and out-of-range ports are reported through the parsed component's `error` field. `normalize()` leaves malformed string inputs unchanged, and `equal()` returns `false` when either string input is malformed.
+
 *	`scheme` (string)
 	Indicates the scheme that the URI should be treated as, overriding the URI's normal scheme parsing behavior.
 

index.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizePercentEncoding, normalizePathEncoding, escapePreservingEscapes, isIPv4, nonSimpleDomain } = require('./lib/utils')
+const { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizePercentEncoding, normalizePathEncoding, escapePreservingEscapes, reescapeHostDelimiters, isIPv4, nonSimpleDomain } = require('./lib/utils')
 const { SCHEMES, getSchemeHandler } = require('./lib/schemes')
 
 /**
@@ -11,7 +11,7 @@ const { SCHEMES, getSchemeHandler } = require('./lib/schemes')
  */
 function normalize (uri, options) {
   if (typeof uri === 'string') {
-    uri = /** @type {T} */ (serialize(parse(uri, options), options))
+    uri = /** @type {T} */ (normalizeString(uri, options))
   } else if (typeof uri === 'object') {
     uri = /** @type {T} */ (parse(serialize(uri, options), options))
   }
@@ -106,19 +106,10 @@ function resolveComponent (base, relative, options, skipNormalization) {
  * @returns {boolean}
  */
 function equal (uriA, uriB, options) {
-  if (typeof uriA === 'string') {
-    uriA = serialize(parse(uriA, options), options)
-  } else if (typeof uriA === 'object') {
-    uriA = serialize(uriA, options)
-  }
-
-  if (typeof uriB === 'string') {
-    uriB = serialize(parse(uriB, options), options)
-  } else if (typeof uriB === 'object') {
-    uriB = serialize(uriB, options)
-  }
+  const normalizedA = normalizeComparableURI(uriA, options)
+  const normalizedB = normalizeComparableURI(uriB, options)
 
-  return uriA.toLowerCase() === uriB.toLowerCase()
+  return normalizedA !== undefined && normalizedB !== undefined && normalizedA.toLowerCase() === normalizedB.toLowerCase()
 }
 
 /**
@@ -211,12 +202,29 @@ function serialize (cmpts, opts) {
 
 const URI_PARSE = /^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u
 
+/**
+ * @param {import('./types/index').URIComponent} parsed
+ * @param {RegExpMatchArray} matches
+ * @returns {string|undefined}
+ */
+function getParseError (parsed, matches) {
+  if (matches[2] !== undefined && parsed.path && parsed.path[0] !== '/') {
+    return 'URI path must start with "/" when authority is present.'
+  }
+
+  if (typeof parsed.port === 'number' && (parsed.port < 0 || parsed.port > 65535)) {
+    return 'URI port is malformed.'
+  }
+
+  return undefined
+}
+
 /**
  * @param {string} uri
  * @param {import('./types/index').Options} [opts]
- * @returns
+ * @returns {{ parsed: import('./types/index').URIComponent, malformedAuthorityOrPort: boolean }}
  */
-function parse (uri, opts) {
+function parseWithStatus (uri, opts) {
   const options = Object.assign({}, opts)
   /** @type {import('./types/index').URIComponent} */
   const parsed = {
@@ -229,6 +237,8 @@ function parse (uri, opts) {
     fragment: undefined
   }
 
+  let malformedAuthorityOrPort = false
+
   let isIP = false
   if (options.reference === 'suffix') {
     if (options.scheme) {
@@ -254,6 +264,13 @@ function parse (uri, opts) {
     if (isNaN(parsed.port)) {
       parsed.port = matches[5]
     }
+
+    const parseError = getParseError(parsed, matches)
+    if (parseError !== undefined) {
+      parsed.error = parsed.error || parseError
+      malformedAuthorityOrPort = true
+    }
+
     if (parsed.host) {
       const ipv4result = isIPv4(parsed.host)
       if (ipv4result === false) {
@@ -302,7 +319,7 @@ function parse (uri, opts) {
           parsed.scheme = unescape(parsed.scheme)
         }
         if (parsed.host !== undefined) {
-          parsed.host = unescape(parsed.host)
+          parsed.host = reescapeHostDelimiters(unescape(parsed.host), isIP)
         }
       }
       if (parsed.path) {
@@ -324,9 +341,57 @@ function parse (uri, opts) {
   } else {
     parsed.error = parsed.error || 'URI can not be parsed.'
   }
-  return parsed
+  return { parsed, malformedAuthorityOrPort }
+}
+
+/**
+ * @param {string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns
+ */
+function parse (uri, opts) {
+  return parseWithStatus(uri, opts).parsed
 }
 
+/**
+ * @param {string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns {string}
+ */
+function normalizeString (uri, opts) {
+  return normalizeStringWithStatus(uri, opts).normalized
+}
+
+/**
+ * @param {string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns {{ normalized: string, malformedAuthorityOrPort: boolean }}
+ */
+function normalizeStringWithStatus (uri, opts) {
+  const { parsed, malformedAuthorityOrPort } = parseWithStatus(uri, opts)
+  return {
+    normalized: malformedAuthorityOrPort ? uri : serialize(parsed, opts),
+    malformedAuthorityOrPort
+  }
+}
+
+/**
+ * @param {import ('./types/index').URIComponent|string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns {string|undefined}
+ */
+function normalizeComparableURI (uri, opts) {
+  if (typeof uri === 'string') {
+    const { normalized, malformedAuthorityOrPort } = normalizeStringWithStatus(uri, opts)
+    return malformedAuthorityOrPort ? undefined : normalized
+  }
+
+  if (typeof uri === 'object') {
+    return serialize(uri, opts)
+  }
+}
+
+
 const fastUri = {
   SCHEMES,
   normalize,

lib/utils.js

@@ -272,6 +272,26 @@ function removeDotSegments (path) {
   return output.join('')
 }
 
+/**
+ * Re-escape RFC 3986 gen-delims that must not appear literally in the host.
+ * After the URI regex parses, these characters cannot be literal in the host
+ * field, so any that appear after decoding came from percent-encoding and
+ * must be restored to prevent authority structure changes.
+ *
+ * @param {string} host
+ * @param {boolean} isIP - true for IPv4/IPv6 hosts (skip colon re-escaping)
+ * @returns {string}
+ */
+const HOST_DELIMS = { '@': '%40', '/': '%2F', '?': '%3F', '#': '%23', ':': '%3A' }
+const HOST_DELIM_RE = /[@/?#:]/g
+const HOST_DELIM_NO_COLON_RE = /[@/?#]/g
+
+function reescapeHostDelimiters (host, isIP) {
+  const re = isIP ? HOST_DELIM_NO_COLON_RE : HOST_DELIM_RE
+  re.lastIndex = 0
+  return host.replace(re, (ch) => HOST_DELIMS[ch])
+}
+
 /**
  * Normalizes percent escapes and optionally decodes only unreserved ASCII bytes.
  * Reserved delimiters such as `%2F` and `%2E` stay escaped.
@@ -394,7 +414,7 @@ function recomposeAuthority (component) {
       if (ipV6res.isIPV6 === true) {
         host = `[${ipV6res.escapedHost}]`
       } else {
-        host = component.host
+        host = reescapeHostDelimiters(host, false)
       }
     }
     uriTokens.push(host)
@@ -411,6 +431,7 @@ function recomposeAuthority (component) {
 module.exports = {
   nonSimpleDomain,
   recomposeAuthority,
+  reescapeHostDelimiters,
   normalizePercentEncoding,
   normalizePathEncoding,
   escapePreservingEscapes,

test/security.test.js

@@ -0,0 +1,133 @@
+'use strict'
+
+const test = require('tape')
+const fastURI = require('..')
+
+test('parse marks malformed authority and port inputs as errors', (t) => {
+  const malformedCases = [
+    {
+      input: 'http://[::1]foo',
+      expectedError: 'URI path must start with "/" when authority is present.'
+    },
+    {
+      input: 'http://[::1]:80abc/path',
+      expectedError: 'URI path must start with "/" when authority is present.'
+    },
+    {
+      input: 'http://example.com:80abc/path',
+      expectedError: 'URI path must start with "/" when authority is present.'
+    },
+    {
+      input: 'http://[::1]:65536',
+      expectedError: 'URI port is malformed.'
+    }
+  ]
+
+  t.plan(malformedCases.length)
+
+  malformedCases.forEach(({ input, expectedError }) => {
+    t.equal(fastURI.parse(input).error, expectedError, input)
+  })
+})
+
+test('normalize does not canonicalize malformed URLs into different valid URLs', (t) => {
+  const malformedCases = [
+    'http://[::1]foo',
+    'http://[::1]:80abc/path',
+    'http://example.com:80abc/path',
+    'http://[::1]:65536'
+  ]
+
+  t.plan(malformedCases.length)
+
+  malformedCases.forEach((input) => {
+    t.equal(fastURI.normalize(input), input, input)
+  })
+})
+
+test('equal returns false when either side is malformed', (t) => {
+  const malformedPairs = [
+    ['http://[::1]foo', 'http://[::1]/foo'],
+    ['http://[::1]:80abc/path', 'http://[::1]/abc/path'],
+    ['http://example.com:80abc/path', 'http://example.com/abc/path'],
+    ['http://[::1]:65536', 'http://[::1]:65536/']
+  ]
+
+  t.plan(malformedPairs.length)
+
+  malformedPairs.forEach(([left, right]) => {
+    t.equal(fastURI.equal(left, right), false, `${left} != ${right}`)
+  })
+})
+
+test('normalize preserves encoded authority delimiters in host', (t) => {
+  const cases = [
+    ['http://trusted.com%40evil.com/', 'http://trusted.com%40evil.com/'],
+    ['http://example.com%3A8080/', 'http://example.com%3A8080/'],
+    ['http://example.com%2Fevil.com/path', 'http://example.com%2Fevil.com/path'],
+    ['http://example.com%23fragment/path', 'http://example.com%23fragment/path'],
+    ['http://example.com%3Fq=evil/path', 'http://example.com%3Fq=evil/path'],
+    ['http://user%3Apass%40evil.com/', 'http://user%3Apass%40evil.com/'],
+    ['http://user@trusted.com%40evil.com/', 'http://user@trusted.com%40evil.com/'],
+    ['https://trusted.com%40evil.com/', 'https://trusted.com%40evil.com/'],
+    ['ws://trusted.com%40evil.com/chat', 'ws://trusted.com%40evil.com/chat'],
+    ['wss://trusted.com%40evil.com/chat', 'wss://trusted.com%40evil.com/chat']
+  ]
+
+  t.plan(cases.length)
+
+  cases.forEach(([input, expected]) => {
+    t.equal(fastURI.normalize(input), expected, input)
+  })
+})
+
+test('parse preserves encoded authority delimiters in host', (t) => {
+  const cases = [
+    ['http://trusted.com%40evil.com/', 'trusted.com%40evil.com'],
+    ['http://example.com%3A8080/', 'example.com%3A8080'],
+    ['http://user%3Apass%40evil.com/', 'user%3Apass%40evil.com']
+  ]
+
+  t.plan(cases.length)
+
+  cases.forEach(([input, expectedHost]) => {
+    t.equal(fastURI.parse(input).host, expectedHost, input)
+  })
+})
+
+test('equal returns false when encoded delimiters differ from live delimiters', (t) => {
+  const pairs = [
+    ['http://trusted.com%40evil.com/', 'http://trusted.com@evil.com/'],
+    ['http://example.com%3A8080/', 'http://example.com:8080/']
+  ]
+
+  t.plan(pairs.length)
+
+  pairs.forEach(([left, right]) => {
+    t.equal(fastURI.equal(left, right, {}), false, `${left} != ${right}`)
+  })
+})
+
+test('resolve preserves encoded authority delimiters', (t) => {
+  const result = fastURI.resolve('http://base.com/', '//trusted.com%40evil.com/path')
+  const parsed = fastURI.parse(result)
+
+  t.plan(1)
+  t.notEqual(parsed.host, 'evil.com', '//trusted.com%40evil.com/path')
+})
+
+test('serialize escapes authority delimiters in host field', (t) => {
+  const result = fastURI.serialize({ scheme: 'http', host: 'trusted.com@evil.com', path: '/' })
+  const parsed = fastURI.parse(result)
+
+  t.plan(1)
+  t.notEqual(parsed.host, 'evil.com', 'host: trusted.com@evil.com')
+})
+
+test('normalize does not double-decode %2540 into a live @', (t) => {
+  const result = fastURI.normalize('http://trusted.com%2540evil.com/')
+  const parsed = fastURI.parse(result)
+
+  t.plan(1)
+  t.notEqual(parsed.host, 'trusted.com@evil.com', 'http://trusted.com%2540evil.com/')
+})