-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
errors: remove input from ERR_INVALID_URL message #38614
Conversation
FWIW the input was added to the error in #11934 |
@nodejs/url |
cb10e91
to
09df9e4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with the failing test fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with a nit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit message should be
- errors: removed input from ERR_INVALID_URL message
+ errors: remove input from ERR_INVALID_URL message
as we use an imperative verb (https://github.com/nodejs/node/blob/master/doc/guides/contributing/pull-requests.md#commit-message-guidelines) but this can be fixed while landing.
34fc705
to
f7da77c
Compare
Avoid potentially huge messages and leaked secrets.
This comment has been minimized.
This comment has been minimized.
Landed in 417c31b |
Avoid potentially huge messages and leaked secrets. PR-URL: #38614 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com>
Avoid potentially huge messages and leaked secrets. PR-URL: #38614 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com>
The dynamic part in the message, if any, should be the reason explaining why the url is invalid and not the url it self.
Migrating from
url.parse()
tonew URL()
you may start to seeERR_INVALID_URL
errors in logs and http responses where the message contains the full input url. I decided to propose this change after discovering a secret being exposed. It will produce more compact errors but it may also help avoid user error like this to become a common attack surface during migration to whatwg.ERR_INVALID_URL
also seems to stand out from the other more compact errors found inerrors.js
so I hope this change is welcome.What do you guys think?