url: trim leading and trailing C0 control chars

Trott · bengl · commit b89f4d5c1706 · 2022-03-20T17:27:04.000-04:00
Emulate the WHATWHG URL parse behavior of trimming leading and trailing C0 control characters. This moves url.parse() slightly closer to WHATWHG URL behavior. The current behavior is possibly insecure for some uses. (The url.parse() API is marked as Legacy and the documentation specifically says it has known bugs and insecure behaviors. Still this change makes a lot of sense.) This issue was reported by P0cas. https://github.com/P0cas PR-URL: #42196 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Mestery <mestery@protonmail.com> Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
diff --git a/lib/url.js b/lib/url.js
@@ -117,7 +117,6 @@ const {
   CHAR_TAB,
   CHAR_CARRIAGE_RETURN,
   CHAR_LINE_FEED,
-  CHAR_FORM_FEED,
   CHAR_NO_BREAK_SPACE,
   CHAR_ZERO_WIDTH_NOBREAK_SPACE,
   CHAR_HASH,
@@ -196,11 +195,7 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
     const code = url.charCodeAt(i);
 
     // Find first and last non-whitespace characters for trimming
-    const isWs = code === CHAR_SPACE ||
-                 code === CHAR_TAB ||
-                 code === CHAR_CARRIAGE_RETURN ||
-                 code === CHAR_LINE_FEED ||
-                 code === CHAR_FORM_FEED ||
+    const isWs = code < 33 ||
                  code === CHAR_NO_BREAK_SPACE ||
                  code === CHAR_ZERO_WIDTH_NOBREAK_SPACE;
     if (start === -1) {
diff --git a/test/parallel/test-url-parse-format.js b/test/parallel/test-url-parse-format.js
@@ -977,6 +977,21 @@ const parseTests = {
     path: '/everybody',
     href: '//fhqwhgads@example.com/everybody#to-the-limit'
   },
+
+  '\bhttp://example.com/\b': {
+    protocol: 'http:',
+    slashes: true,
+    auth: null,
+    host: 'example.com',
+    port: null,
+    hostname: 'example.com',
+    hash: null,
+    search: null,
+    query: null,
+    pathname: '/',
+    path: '/',
+    href: 'http://example.com/'
+  }
 };
 
 for (const u in parseTests) {
