Skip to content

Commit

Permalink
doc: correct unsafe URL example in http docs
Browse files Browse the repository at this point in the history
Co-authored-by: @astlouisf
Co-authored-by: @samhh

The previous documentation example for converting `request.url` to an `URL` object was unsafe, as it could allow a server crash through malformed URL inputs and potentially enable host header attacks.

This commit revises the example to use string concatenation over the usage of the `baseUrl` and removes the usage of the `req.headers.host` as the authority part of the url, mitigating both the crash and security risks by ensuring the host part of the URL remains controlled and predictable.

Fixes nodejs#52494
  • Loading branch information
mlegenhausen committed Apr 16, 2024
1 parent 9ef03f1 commit 430c3dd
Showing 1 changed file with 7 additions and 8 deletions.
15 changes: 7 additions & 8 deletions doc/api/http.md
Original file line number Diff line number Diff line change
Expand Up @@ -2886,24 +2886,23 @@ Accept: text/plain
To parse the URL into its parts:

```js
new URL(request.url, `http://${request.headers.host}`);
new URL(`http://${process.env.HOST ?? 'localhost'}${request.url}`);
```
When `request.url` is `'/status?name=ryan'` and `request.headers.host` is
`'localhost:3000'`:
When `request.url` is `'/status?name=ryan'` and `process.env.HOST` is undefined:
```console
$ node
> new URL(request.url, `http://${request.headers.host}`)
> new URL(`http://${process.env.HOST ?? 'localhost'}${request.url}`);
URL {
href: 'http://localhost:3000/status?name=ryan',
origin: 'http://localhost:3000',
href: 'http://localhost/status?name=ryan',
origin: 'http://localhost',
protocol: 'http:',
username: '',
password: '',
host: 'localhost:3000',
host: 'localhost',
hostname: 'localhost',
port: '3000',
port: '',
pathname: '/status',
search: '?name=ryan',
searchParams: URLSearchParams { 'name' => 'ryan' },
Expand Down

0 comments on commit 430c3dd

Please sign in to comment.