url: avoid hostname spoofing w/ javascript protocol

mcollina · rvagg · commit d7504324e1df · 2018-11-27T15:30:17.000+11:00
CVE-2018-12123 Fixes: nodejs-private/security#205 PR-URL: nodejs-private/node-private#145 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
diff --git a/lib/url.js b/lib/url.js
@@ -267,13 +267,13 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
   if (slashesDenoteHost || proto || hostPattern.test(rest)) {
     var slashes = rest.charCodeAt(0) === CHAR_FORWARD_SLASH &&
                   rest.charCodeAt(1) === CHAR_FORWARD_SLASH;
-    if (slashes && !(proto && hostlessProtocol[proto])) {
+    if (slashes && !(proto && hostlessProtocol[lowerProto])) {
       rest = rest.slice(2);
       this.slashes = true;
     }
   }
 
-  if (!hostlessProtocol[proto] &&
+  if (!hostlessProtocol[lowerProto] &&
       (slashes || (proto && !slashedProtocol[proto]))) {
 
     // there's a hostname.
diff --git a/test/parallel/test-url-parse-format.js b/test/parallel/test-url-parse-format.js
@@ -890,6 +890,39 @@ const parseTests = {
     pathname: '/*',
     path: '/*',
     href: 'https:///*'
+  },
+
+  // The following two URLs are the same, but they differ for
+  // a capital A: it is important that we verify that the protocol
+  // is checked in a case-insensitive manner.
+  'javascript:alert(1);a=\x27@white-listed.com\x27': {
+    protocol: 'javascript:',
+    slashes: null,
+    auth: null,
+    host: null,
+    port: null,
+    hostname: null,
+    hash: null,
+    search: null,
+    query: null,
+    pathname: "alert(1);a='@white-listed.com'",
+    path: "alert(1);a='@white-listed.com'",
+    href: "javascript:alert(1);a='@white-listed.com'"
+  },
+
+  'javAscript:alert(1);a=\x27@white-listed.com\x27': {
+    protocol: 'javascript:',
+    slashes: null,
+    auth: null,
+    host: null,
+    port: null,
+    hostname: null,
+    hash: null,
+    search: null,
+    query: null,
+    pathname: "alert(1);a='@white-listed.com'",
+    path: "alert(1);a='@white-listed.com'",
+    href: "javascript:alert(1);a='@white-listed.com'"
   }
 };
 
@@ -921,3 +954,25 @@ for (const u in parseTests) {
   assert.strictEqual(actual, expected,
                      `format(${u}) == ${u}\nactual:${actual}`);
 }
+
+{
+  const parsed = url.parse('http://nodejs.org/')
+    .resolveObject('jAvascript:alert(1);a=\x27@white-listed.com\x27');
+
+  const expected = Object.assign(new url.Url(), {
+    protocol: 'javascript:',
+    slashes: null,
+    auth: null,
+    host: null,
+    port: null,
+    hostname: null,
+    hash: null,
+    search: null,
+    query: null,
+    pathname: "alert(1);a='@white-listed.com'",
+    path: "alert(1);a='@white-listed.com'",
+    href: "javascript:alert(1);a='@white-listed.com'"
+  });
+
+  assert.deepStrictEqual(parsed, expected);
+}

Original file line number	Diff line number	Diff line change
`@@ -267,13 +267,13 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {`
`267`	`267`	`if (slashesDenoteHost \|\| proto \|\| hostPattern.test(rest)) {`
`268`	`268`	`var slashes = rest.charCodeAt(0) === CHAR_FORWARD_SLASH &&`
`269`	`269`	`rest.charCodeAt(1) === CHAR_FORWARD_SLASH;`
`270`		`- if (slashes && !(proto && hostlessProtocol[proto])) {`
	`270`	`+ if (slashes && !(proto && hostlessProtocol[lowerProto])) {`
`271`	`271`	`rest = rest.slice(2);`
`272`	`272`	`this.slashes = true;`
`273`	`273`	`}`
`274`	`274`	`}`
`275`	`275`
`276`		`- if (!hostlessProtocol[proto] &&`
	`276`	`+ if (!hostlessProtocol[lowerProto] &&`
`277`	`277`	`(slashes \|\| (proto && !slashedProtocol[proto]))) {`
`278`	`278`
`279`	`279`	`// there's a hostname.`