diff options
| author | James M Snell <jasnell@gmail.com> | 2020-07-06 22:59:12 +0300 |
|---|---|---|
| committer | James M Snell <jasnell@gmail.com> | 2020-07-09 17:21:04 +0300 |
| commit | a95fb930d0d2bcf8ba3c86f4525d1348e60a7507 (patch) | |
| tree | 82b4bef8421e4e66e3a2f80180bb851aad3f6ebd /doc/api/url.md | |
| parent | 26493c02a26270cfbdd0cf3e46a7eaf649a7874a (diff) | |
doc: document security issues with url.parse()
Fixes: https://github.com/nodejs/node/issues/31279
PR-URL: https://github.com/nodejs/node/pull/34226
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Diffstat (limited to 'doc/api/url.md')
| -rw-r--r-- | doc/api/url.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/api/url.md b/doc/api/url.md index 7d493026fd4..2bc5ded862a 100644 --- a/doc/api/url.md +++ b/doc/api/url.md @@ -1262,6 +1262,12 @@ A `TypeError` is thrown if `urlString` is not a string. A `URIError` is thrown if the `auth` property is present but cannot be decoded. +Use of the legacy `url.parse()` method is discouraged. Users should +use the WHATWG `URL` API. Because the `url.parse()` method uses a +lenient, non-standard algorithm for parsing URL strings, security +issues can be introduced. Specifically, issues with [host name spoofing][] and +incorrect handling of usernames and passwords have been identified. + ### `url.resolve(from, to)` <!-- YAML added: v0.1.25 @@ -1379,6 +1385,7 @@ console.log(myURL.origin); [WHATWG URL Standard]: https://url.spec.whatwg.org/ [WHATWG URL]: #url_the_whatwg_url_api [examples of parsed URLs]: https://url.spec.whatwg.org/#example-url-parsing +[host name spoofing]: https://hackerone.com/reports/678487 [legacy `urlObject`]: #url_legacy_urlobject [percent-encoded]: #whatwg-percent-encoding [stable sorting algorithm]: https://en.wikipedia.org/wiki/Sorting_algorithm#Stability |