Skip to content

Commit

Permalink
url: add pending-deprecation to url.parse()
Browse files Browse the repository at this point in the history
PR-URL: #47203
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
  • Loading branch information
anonrig authored and RafaelGSS committed Apr 7, 2023
1 parent 3e7f8e8 commit 461ef04
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
5 changes: 4 additions & 1 deletion doc/api/deprecations.md
Original file line number Diff line number Diff line change
Expand Up @@ -3280,13 +3280,16 @@ Node-API callbacks.

<!-- YAML
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/47203
description: Added support for `--pending-deprecation`.
- version:
- v19.0.0
pr-url: https://github.com/nodejs/node/pull/44919
description: Documentation-only deprecation.
-->

Type: Documentation-only
Type: Documentation-only (supports [`--pending-deprecation`][])

[`url.parse()`][] behavior is not standardized and prone to errors that
have security implications. Use the [WHATWG URL API][] instead. CVEs are not
Expand Down
15 changes: 15 additions & 0 deletions lib/url.js
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ const {
formatUrl,
} = internalBinding('url');

const { getOptionValue } = require('internal/options');

// Original url.parse() API

function Url() {
Expand Down Expand Up @@ -146,7 +148,20 @@ const {
CHAR_COLON,
} = require('internal/constants');

let urlParseWarned = false;

function urlParse(url, parseQueryString, slashesDenoteHost) {
if (!urlParseWarned && getOptionValue('--pending-deprecation')) {
urlParseWarned = true;
process.emitWarning(
'`url.parse()` behavior is not standardized and prone to ' +
'errors that have security implications. Use the WHATWG URL API ' +
'instead. CVEs are not issued for `url.parse()` vulnerabilities.',
'DeprecationWarning',
'DEP0169',
);
}

if (url instanceof Url) return url;

const urlObject = new Url();
Expand Down

0 comments on commit 461ef04

Please sign in to comment.