doc: correct unsafe URL example in http docs #52536
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -488,7 +488,7 @@ const proxy = createServer((req, res) => { | |
| }); | ||
| proxy.on('connect', (req, clientSocket, head) => { | ||
| // Connect to an origin server | ||
| const { port, hostname } = new URL(`http://${req.headers.host}${req.url}`); | ||
| const serverSocket = connect(port || 80, hostname, () => { | ||
| clientSocket.write('HTTP/1.1 200 Connection Established\r\n' + | ||
| 'Proxy-agent: Node.js-Proxy\r\n' + | ||
|
|
@@ -543,7 +543,7 @@ const proxy = http.createServer((req, res) => { | |
| }); | ||
| proxy.on('connect', (req, clientSocket, head) => { | ||
| // Connect to an origin server | ||
| const { port, hostname } = new URL(`http://${req.headers.host}${req.url}`); | ||
|
thisalihassan marked this conversation as resolved.
Outdated
|
||
| const serverSocket = net.connect(port || 80, hostname, () => { | ||
| clientSocket.write('HTTP/1.1 200 Connection Established\r\n' + | ||
| 'Proxy-agent: Node.js-Proxy\r\n' + | ||
|
|
@@ -2886,15 +2886,15 @@ Accept: text/plain | |
| To parse the URL into its parts: | ||
|
|
||
| ```js | ||
| new URL(`http://${req.headers.host}${req.url}`); | ||
|
Member
There was a problem hiding this comment. This is not safer than the original, see #52494 (comment)
Member
There was a problem hiding this comment. @lpinca is correct. Relying on user headers for any part of the url parsing can lead to the malicious injection of a URL. I believe the smartest idea would be to just include a note in the documentation that this setup is only an example and shouldn't be used in production for security reasons
Contributor
There was a problem hiding this comment. Sorry, I reviewed without thoroughly analysis. I second @redyetidev idea.
Contributor
There was a problem hiding this comment. Nice to see a PR improving the docs. Maybe the best idea to fix the problem with the new URL(`http://localhost${request.url}`)
new URL(`http://${process.env.HOST ?? 'localhost'}${request.url}`)
I actually read the nodeJS docs as a best practice 🙈 If it is not documented here who should come up with the best possible approach?
Member
There was a problem hiding this comment. If we were to go with your approach, we wouldn't need a note because it wouldn't present a security issue anymore :-). If the team agrees with your suggestion, you should open a PR for it. With all the work you put into finding and fixing this issue, you should be the one to request it! WDYT @lpinca and @ShogunPanda?
Contributor
There was a problem hiding this comment.
Sure can do. Waiting for an agree- or disagreement 🙈
Team afford. Kudos to @astlouisf and @samhh There was a problem hiding this comment. @redyetidev I agree, I can close this one and @mlegenhausen can open a seperate PR to fix this issue |
||
| ``` | ||
|
|
||
| When `request.url` is `'/status?name=ryan'` and `request.headers.host` is | ||
| `'localhost:3000'`: | ||
|
|
||
| ```console | ||
| $ node | ||
| > new URL(`http://${req.headers.host}${req.url}`) | ||
| URL { | ||
| href: 'http://localhost:3000/status?name=ryan', | ||
| origin: 'http://localhost:3000', | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.