-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
url library behaves unexpectedly when attempting to set a url's port to a large number #19595
Comments
I have been able to reproduce it and @nodeav has offered to try and tackle this with a PR :) |
I tagged this as a "confirmed bug" since this is not what our .docs say, a solution could be to either fix the docs or to change the URL implementation to reject incorrect numbers for ports. |
+1 on this being a bug, but one that also needs fixing in the spec:
Chromium and Firefox exhibit the same behaviour as Node. /cc @nodejs/url |
I believe the property is operating as specified and documented. The documentation says:
However I do agree the first sentence quoted can be misleading, since it’s actually meant to be “(number or string containing a number) in the range …” rather than “number or (string containing a number in the range…)”. Whether or not there is a bug in the spec, the odd parts of the URL Standard (like this one) are usually written for more reasons than just being buggy (compatibility is the most common reason). I don’t know the details on this property but @annevk might. |
@TimothyGu What led be to believe that this was a bug in the spec was that the spec does contain an explicit range check when setting |
@addaleax I’d recommend filing a bug at https://github.com/whatwg/url for further verification if you are convinced that this is indeed a spec bug. |
Most browsers had a limit of sorts and this was the most common one. The |
I'll post a PR in an hour or two, with a range check in the beginning of the port setter. Do you think it is the right solution? I feel that this is unexpected behavior, regardless of the spec. |
|
@nodeav what @annevk means in point number 1 is that we don't use "guys" for "people" in English in Node. @annevk worth noting that in @nodeav's native tongue the distinction (using guys for people) doesn't really exist since you would use a gender neutral term (אנשים or חבר׳ה rather than בחורים) which roughly translates to guys but without the gendered part. Thanks for pointing it out - I'm just giving some random context trivia. About point #2 do you think that's a reasonable change for the spec? I'm also -1 on changing Node's behavior without changing the spec - the whole point of adding WHATWG URLs to Node was to make browser interoperability easier and settle on a single specification for URLs in both platforms. |
It's not really clear to me what the proposed change is. To make port accept a Number as well as a String and throw if it's out-of-bound? That seems somewhat backwards incompatible. It's also not entirely clear to me it's worth it. It'd help to know when you'd write the kind of code in OP. |
@annevk let's say you read the port from a parsed file containing URLS or another third party source: var port = readPort(); // attacker returns 30 ** 30
// our validation: don't allow opening a connection to a lower-than 1024 port to the server.
if (typeof port !== 'number' || port < 1024) {
return false;
}
serverUrl.port = port;
download(serverUrl); // user connected to port we didn't mean them to be able to connect to |
Sorry, did not mean to offend anyone, I have no intentions to exclude any gender from the discussion (@benjamingr's anecdote is correct, I meant it as a gender-neutral term). I've since edited my comment to exclude the offending word. Regarding the issue:
The proposed change is, thus, to make sure the number is in the valid range specified in the documentation. Another possibility is to change the documentation to match the current behaviour. However, In my opinion at least, something is clearly slightly broken here. |
@benjamingr that's fairly compelling. I'd support trying to change it given the security angle. |
Opened issue in whatwg repo whatwg/url#377 |
@benjamingr Great. Does that mean I shouldn't open a PR, and await their fix instead? |
@nodeav well, ideally you'd take a stab at making a PR to the spec although I get that this might be more intimidating. Alternatively you can wait for the spec to change and then PR into Node. |
I'll look into that, thanks. The docs are still wrong currently; Should I open a PR to fix the docs instead? |
@nodeav yes please! :) |
numbers which are coerced to scientific notation via .toString(), will behave unexpectedly when assigned to a url's port. Fixes: nodejs#19595
I'm still working on the doc change, a snippet from the whatwg spec: Correct me if I'm wrong, but it seems to me that the root of this bug is the inconsistency when converting a number to a string in node (actually, the ECMA standard), not passing numbers in scientific notation to whatwg. |
@trivikr I just wanted to make sure the argument I have presented has been considered prior to closing this issue, and that the final decision has been made in regards to changing the code. Thanks. |
@nodeav This issue was closed automatically by commit message. Reopening |
numbers which are coerced to scientific notation via .toString(), will behave unexpectedly when assigned to a url's port. Fixes: #19595 PR-URL: #19645 Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Should I create a unit test for this case, Or is it covered by whatwg somehow? |
Well, the next step would be to follow up with whatwg |
@benjamingr Not sure how I can help with the whatwg thing, and I also happen to still feel this is a Node-specific bug. |
@nodeav Again, it's not a Node.js bug when it acts according to the WHATWG and W3C specifications, and also browsers. You could try filing an issue against whatwg/url. |
As @TimothyGu said - this is required if we want to keep compatibility with browsers - I think we should give the standards way a chance and to proceed in that route. |
But the whatwg standard doesn't say anything about accepting numbers as an input, only strings. Nodejs chooses to accept numbers as an input, and does the conversion to a String according to the ECMA specification - however, this conversion conflicts with whatwg's allowed input, which doesn't accept numbers in scientific notation represented in a string, nor numbers (integers) at all, only strings representing decimal numbers in a straightforward manner. Node does not provide this. A Python implementation would not encounter this problem. Am I missing something? from the spec: > A URL-port string must be zero or more ASCII digits. And the full 'algorithm':
|
@nodeav yeah, you're missing how IDL works. It specifies the |
@annevk Thanks, I'll go bug the whatwg people instead then! |
@nodeav I think you meant to ping Anne and not Anna :) FWIW Anne is "whatwg people" - we can pursue the issue in whatwg/url#377 |
@benjamingr haha, indeed. Let's continue there. Thanks for the patience, everyone |
const {URL} = require('url');
let url = new URL('http://127.0.0.1');
url.port // -> ''
url.port = 2.12323232e88;
url.port // -> '2'
The text was updated successfully, but these errors were encountered: