Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

errors: remove input from ERR_INVALID_URL message #38614

Closed
wants to merge 1 commit into from
Closed

errors: remove input from ERR_INVALID_URL message #38614

wants to merge 1 commit into from

Conversation

moander
Copy link
Contributor

@moander moander commented May 9, 2021

The dynamic part in the message, if any, should be the reason explaining why the url is invalid and not the url it self.

Migrating from url.parse() to new URL() you may start to see ERR_INVALID_URL errors in logs and http responses where the message contains the full input url. I decided to propose this change after discovering a secret being exposed. It will produce more compact errors but it may also help avoid user error like this to become a common attack surface during migration to whatwg.

ERR_INVALID_URL also seems to stand out from the other more compact errors found in errors.js so I hope this change is welcome.

What do you guys think?

@github-actions github-actions bot added errors Issues and PRs related to JavaScript errors originated in Node.js core. needs-ci PRs that need a full CI run. labels May 9, 2021
@targos
Copy link
Member

targos commented May 10, 2021

FWIW the input was added to the error in #11934

@targos
Copy link
Member

targos commented May 10, 2021

@nodejs/url

@moander moander force-pushed the patch-2 branch 3 times, most recently from cb10e91 to 09df9e4 Compare May 11, 2021 06:47
lpinca
lpinca approved these changes May 11, 2021
View reviewed changes
Copy link
Member

@lpinca lpinca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with the failing test fixed.

joyeecheung
joyeecheung approved these changes May 12, 2021
View reviewed changes
Copy link
Member

@joyeecheung joyeecheung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a nit

lib/internal/errors.js Outdated Show resolved Hide resolved
RaisinTen
RaisinTen approved these changes May 12, 2021
View reviewed changes
Copy link
Contributor

@RaisinTen RaisinTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit message should be

- errors: removed input from ERR_INVALID_URL message
+ errors: remove input from ERR_INVALID_URL message

as we use an imperative verb (https://github.com/nodejs/node/blob/master/doc/guides/contributing/pull-requests.md#commit-message-guidelines) but this can be fixed while landing.

@moander moander force-pushed the patch-2 branch 2 times, most recently from 34fc705 to f7da77c Compare May 12, 2021 18:04
@moander
errors: remove input from ERR_INVALID_URL message
19b2cb6 
Avoid potentially huge messages and leaked secrets.
@RaisinTen RaisinTen changed the title errors: removed input from ERR_INVALID_URL message errors: remove input from ERR_INVALID_URL message May 13, 2021
@nodejs-github-bot

This comment has been minimized.

Sign in to view
@RaisinTen RaisinTen added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label May 13, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented May 14, 2021
edited by jasnell
Loading

CI: https://ci.nodejs.org/job/node-test-pull-request/38097/ 💚

@jasnell
Copy link
Member

jasnell commented May 17, 2021

Landed in 417c31b

@jasnell jasnell closed this May 17, 2021
jasnell pushed a commit that referenced this pull request May 17, 2021
@moander @jasnell
errors: remove input from ERR_INVALID_URL message
417c31b 
Avoid potentially huge messages and leaked secrets.

PR-URL: #38614
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
targos pushed a commit that referenced this pull request May 18, 2021
@moander @targos
errors: remove input from ERR_INVALID_URL message
347b9f2 
Avoid potentially huge messages and leaked secrets.

PR-URL: #38614
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
@targos targos mentioned this pull request May 18, 2021
Merged
@nlf nlf mentioned this pull request Jun 4, 2021
Merged
@DanCurryy DanCurryy mentioned this pull request Aug 12, 2022
Closed
2 tasks
@github-actions github-actions bot mentioned this pull request Apr 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RaisinTen RaisinTen RaisinTen approved these changes

@joyeecheung joyeecheung joyeecheung approved these changes

@TimothyGu TimothyGu TimothyGu approved these changes

@lpinca lpinca lpinca approved these changes

@Trott Trott Trott approved these changes

@jasnell jasnell jasnell approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. errors Issues and PRs related to JavaScript errors originated in Node.js core. needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@moander @targos @nodejs-github-bot @jasnell @Trott @lpinca @TimothyGu @joyeecheung @RaisinTen