doc: correct unsafe URL example in http docs #52555
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Review requested:
|
nodejs-github-bot
added
doc
|
LGTM |
|
I kinda like it. |
lpinca
approved these changes
Apr 16, 2024
mlegenhausen
force-pushed
the
fix-unsafe-url-parse-docs
branch
from
430c3dd to
4d39eb2
Compare
I will try to formulate something that doesn't get to complicated. For the classic copy/paste developer this at least contains no surprises. Everyone else beyond that will understand how to adapt this. Should I document something about the dangers of the |
|
I would say keep it. When it's about security we are never verbose enough ;) |
mlegenhausen
force-pushed
the
fix-unsafe-url-parse-docs
branch
from
4d39eb2 to
2e593a6
Compare
The previous documentation example for converting `request.url` to an `URL` object was unsafe, as it could allow a server crash through malformed URL inputs and potentially enable host header attacks. This commit revises the example to use string concatenation over the usage of the `baseUrl` and removes the usage of the `req.headers.host` as the authority part of the url, mitigating both the crash and security risks by ensuring the host part of the URL remains controlled and predictable. Fixes nodejs#52494 Co-authored-by: @astlouisf Co-authored-by: @samhh
mlegenhausen
force-pushed
the
fix-unsafe-url-parse-docs
branch
from
2e593a6 to
e1f6dc7
Compare
|
Everything seems good to me! |
lpinca
approved these changes
Apr 17, 2024
aymen94
approved these changes
Apr 17, 2024
|
@mlegenhausen can you please fix the lint issue? |
|
@lpinca fixed |
lpinca
approved these changes
Apr 21, 2024
lpinca
added
commit-queue
nodejs-github-bot
removed
the
commit-queue
|
Landed in 461722d |
aduh95
pushed a commit
that referenced
this pull request
Apr 29, 2024
The previous documentation example for converting `request.url` to an `URL` object was unsafe, as it could allow a server crash through malformed URL inputs and potentially enable host header attacks. This commit revises the example to use string concatenation over the usage of the `baseUrl` and removes the usage of the `req.headers.host` as the authority part of the url, mitigating both the crash and security risks by ensuring the host part of the URL remains controlled and predictable. Fixes #52494 Co-authored-by: @astlouisf Co-authored-by: @samhh PR-URL: #52555 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it>
marco-ippolito
pushed a commit
that referenced
this pull request
May 2, 2024
The previous documentation example for converting `request.url` to an `URL` object was unsafe, as it could allow a server crash through malformed URL inputs and potentially enable host header attacks. This commit revises the example to use string concatenation over the usage of the `baseUrl` and removes the usage of the `req.headers.host` as the authority part of the url, mitigating both the crash and security risks by ensuring the host part of the URL remains controlled and predictable. Fixes #52494 Co-authored-by: @astlouisf Co-authored-by: @samhh PR-URL: #52555 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Merged
marco-ippolito
pushed a commit
that referenced
this pull request
May 3, 2024
The previous documentation example for converting `request.url` to an `URL` object was unsafe, as it could allow a server crash through malformed URL inputs and potentially enable host header attacks. This commit revises the example to use string concatenation over the usage of the `baseUrl` and removes the usage of the `req.headers.host` as the authority part of the url, mitigating both the crash and security risks by ensuring the host part of the URL remains controlled and predictable. Fixes #52494 Co-authored-by: @astlouisf Co-authored-by: @samhh PR-URL: #52555 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Co-authored-by: @astlouisf
Co-authored-by: @samhh
The previous documentation example for converting
request.urlto anURLobject was unsafe, as it could allow a server crash through malformed URL inputs and potentially enable host header attacks.This commit revises the example to use string concatenation over the usage of the
baseUrland removes the usage of thereq.headers.hostas the authority part of the url, mitigating both the crash and security risks by ensuring the host part of the URL remains controlled and predictable.Fixes #52494
Successor of #52536