url: forbid certain confusable changes from being introduced by toASCII #38631
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
needs-ci
TimothyGu
commented
May 11, 2021
| // spoofing. Rather than moving the non-host part to the pathname as | ||
| // we've done in getHostname, throw an exception to convey its | ||
| // severity. | ||
| throw new ERR_INVALID_URL(url); |
There was a problem hiding this comment.
The error code is up for debate here. url.parse itself previously never threw any exception, so there's no precedent. ERR_INVALID_URL is what's used in the WHATWG URL API, but is confusingly extended from TypeError. Another option ERR_INVALID_URI is extended from URIError, but doesn't have the nice err.input property that ERR_INVALID_URL has.
There was a problem hiding this comment.
fwiw, the TypeError bit for WHATWG URL is actually required by the spec ... see https://url.spec.whatwg.org/#url-class
I'm fine with using ERR_INVALID_URL here and adding the error.
marsonya
reviewed
May 11, 2021
jasnell
approved these changes
May 11, 2021
TimothyGu
added
author ready
marsonya
approved these changes
May 12, 2021
TimothyGu
changed the title
This comment has been minimized.
This comment has been minimized.
|
Hello @nodejs/tsc, this is technically a breaking change so your reviews would be appreciated. A description and rationale for this change can be found in the PR description: #38631 (comment). |
Trott
reviewed
May 12, 2021
Trott
approved these changes
May 12, 2021
joyeecheung
approved these changes
May 12, 2021
The legacy url.parse() function attempts to convert Unicode domains
(IDNs) into their ASCII/Punycode form through the use of the toASCII
function. However, toASCII can introduce or remove various characters
that at best invalidate the parsed URL, and at worst cause hostname
spoofing:
url.parse('http://bad.c℀.good.com/').href === 'http://bad.ca/c.good.com/'
(from [1])
url.parse('http://\u00AD/bad.com').href === 'http:///bad.com/'
While changes to the legacy URL parser are discouraged in general, the
security implications here outweigh the desire for strict compatibility.
This is since this commit only changes behavior when non-ASCII
characters appear in the hostname, an unusual situation for most use
cases. Additionally, despite the availability of the WHATWG URL API,
url.parse remain widely deployed in the Node.js ecosystem, as
exemplified by the recent un-deprecation of the legacy API.
This change is similar in spirit to CPython 3.8's change [2] fixing
bpo-36216 [3] aka CVE-2019-9636, which also occurred despite potential
compatibility concerns.
[1]: https://hackerone.com/reports/678487
[2]: python/cpython@16e6f7d
[3]: https://bugs.python.org/issue36216
|
Landed in 70157b9 |
TimothyGu
added a commit
that referenced
this pull request
May 14, 2021
The legacy url.parse() function attempts to convert Unicode domains
(IDNs) into their ASCII/Punycode form through the use of the toASCII
function. However, toASCII can introduce or remove various characters
that at best invalidate the parsed URL, and at worst cause hostname
spoofing:
url.parse('http://bad.c℀.good.com/').href === 'http://bad.ca/c.good.com/'
(from [1])
url.parse('http://\u00AD/bad.com').href === 'http:///bad.com/'
While changes to the legacy URL parser are discouraged in general, the
security implications here outweigh the desire for strict compatibility.
This is since this commit only changes behavior when non-ASCII
characters appear in the hostname, an unusual situation for most use
cases. Additionally, despite the availability of the WHATWG URL API,
url.parse remain widely deployed in the Node.js ecosystem, as
exemplified by the recent un-deprecation of the legacy API.
This change is similar in spirit to CPython 3.8's change [2] fixing
bpo-36216 [3] aka CVE-2019-9636, which also occurred despite potential
compatibility concerns.
[1]: https://hackerone.com/reports/678487
[2]: python/cpython@16e6f7d
[3]: https://bugs.python.org/issue36216
PR-URL: #38631
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
2 tasks
BethGriggs
added a commit
that referenced
this pull request
Oct 15, 2021
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - v8: remove --harmony-top-level-await (Geoffrey Booth) [#40226] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for th `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
BethGriggs
added a commit
that referenced
this pull request
Oct 15, 2021
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - v8: remove --harmony-top-level-await (Geoffrey Booth) [#40226] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
BethGriggs
added a commit
that referenced
this pull request
Oct 16, 2021
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
BethGriggs
added a commit
that referenced
this pull request
Oct 18, 2021
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. While OpenSSL 3.0 APIs should be mostly compatible with those provided by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to tightened restrictions on the allowed algorithms and key sizes. If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option, `--openssl-legacy-provider`, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] Contributed in #38512, #40478 V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - deps: upgrade npm to 8.1.0 (npm team) [#40463] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
BethGriggs
added a commit
that referenced
this pull request
Oct 18, 2021
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. While OpenSSL 3.0 APIs should be mostly compatible with those provided by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to tightened restrictions on the allowed algorithms and key sizes. If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option, `--openssl-legacy-provider`, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] Contributed in #38512, #40478 V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - deps: upgrade npm to 8.1.0 (npm team) [#40463] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
BethGriggs
added a commit
that referenced
this pull request
Oct 19, 2021
Notable Changes: Deprecations and Removals: - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - doc: deprecate (doc-only) http abort related (dr-js) [#36670] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] OpenSSL 3.0: Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl which provides QUIC support. While OpenSSL 3.0 APIs should be mostly compatible with those provided by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to tightened restrictions on the allowed algorithms and key sizes. If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option, `--openssl-legacy-provider`, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions. For details about all the features in OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final. (Daniel Bevenius) [#38512] Contributed in #38512, #40478 V8 9.5: The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the `Intl.DisplayNames` API and Extended `timeZoneName` options in the `Intl.DateTimeFormat` API. You can read more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95. (Michaël Zasso) [#40178] Readline Promise API: The `readline` module provides an interface for reading data from a Readable stream (such as `process.stdin`) one line at a time. (Antoine du Hamel) [#37947] Other Notable Changes: - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that cause exit (Divlo) [#38332] - deps: upgrade npm to 8.1.0 (npm team) [#40463] - (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream() (James M Snell) [#39331] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] Semver-Major Commits: - (SEMVER-MAJOR) build: compile with C++17 (MSVC) (Richard Lau) [#38807] - (SEMVER-MAJOR) build: compile with --gnu++17 (Richard Lau) [#38807] - (SEMVER-MAJOR) deps: update V8 to 9.5.172.19 (Michaël Zasso) [#40178] - (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0 (Daniel Bevenius) [#38512] - (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send` (Voltrex) [#39190] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options (Antoine du Hamel) [#39793] - (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup() (treysis) [#39987] - (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2 (Michaël Zasso) [#40179] - (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit (Divlo) [#38332] - (SEMVER-MAJOR) fs: fix rmsync error swallowing (Nitzan Uziely) [#38684] - (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing (Nitzan Uziely) [#38259] - (SEMVER-MAJOR) lib: add structuredClone() global (Ethan Arrowood) [#39759] - (SEMVER-MAJOR) lib: expose `DOMException` as global (Khaidi Chu) [#39176] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) [#40121] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) [#40117] - (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: introduce promise-based API (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class (Antoine du Hamel) [#37947] - (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv (Daniel Bevenius) [#37727] - (SEMVER-MAJOR) src: return Maybe from a couple of functions (Darshan Sen) [#39603] - (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform (Shelley Vohr) [#38362] - (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error (Rongjian Zhang) [#38700] - (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close' (Robert Nagy) [#39639] - (SEMVER-MAJOR) stream: do not emit `end` on readable error (Szymon Marczak) [#39607] - (SEMVER-MAJOR) stream: forward errored to callback (Robert Nagy) [#39364] - (SEMVER-MAJOR) stream: destroy readable on read error (Robert Nagy) [#39342] - (SEMVER-MAJOR) stream: validate abort signal (Robert Nagy) [#39346] - (SEMVER-MAJOR) stream: unify stream utils (Robert Nagy) [#39294] - (SEMVER-MAJOR) stream: throw on premature close in Readable\ (Darshan Sen) [#39117] - (SEMVER-MAJOR) stream: finished should error on errored stream (Robert Nagy) [#39235] - (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable (Robert Nagy) [#34385] - (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration (Robert Nagy) [#38505] - (SEMVER-MAJOR) url: throw invalid this on detached accessors (James M Snell) [#39752] - (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII (Timothy Gu) [#38631] PR-URL: #40119
ghost
mentioned this pull request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The legacy url.parse() function attempts to convert Unicode domains (IDNs) into their ASCII/Punycode form through the use of the toASCII function. However, toASCII can introduce or remove various characters that at best invalidate the parsed URL, and at worst cause hostname spoofing:
While changes to the legacy URL parser are discouraged in general, the security implications here outweigh the desire for strict compatibility. This is since this commit only changes behavior when non-ASCII characters appear in the hostname, an unusual situation for most use cases. Additionally, despite the availability of the WHATWG URL API, url.parse remain widely deployed in the Node.js ecosystem, as exemplified by the recent un-deprecation of the legacy API.
This change is similar in spirit to CPython 3.8's change (python/cpython@16e6f7d) fixing bpo-36216 aka CVE-2019-9636, which also occurred despite potential compatibility concerns.
See also: #23694, #31279, https://hackerone.com/reports/678487, and https://hackerone.com/reports/738333
cc @nodejs/url