Skip to content

security implications of legacy url.parse() should be more clearly documented #31279

New issue
New issue
Closed
Closed
security implications of legacy url.parse() should be more clearly documented#31279
Labels
discussIssues opened for discussions and feedbacks.docIssues and PRs related to the documentations.securityIssues and PRs related to security.urlIssues and PRs related to the legacy built-in url module.
@sam-github

Description

@sam-github
sam-github
opened on Jan 9, 2020
  • Version: all
  • Platform: all
  • Subsystem: url

url.parse() is "sloppy" with its parsing, so use of it can result in behaviour unexpected by some users that has security implications.

It is marked as deprecated at https://nodejs.org/api/url.html#url_url_parse_urlstring_parsequerystring_slashesdenotehost, but the docs don't specifically call out the security issues, so people won't necessarily know that security is a reason to avoid it.

It also doesn't list the specific (known) security issues, so that its not possible for users of the legacy url.parse() API to determine whether their usage is insecure.

These should be addressed through documentation.

Related

Vulnerability reports in process of disclosure, so link will be dead for a while longer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    discussIssues opened for discussions and feedbacks.docIssues and PRs related to the documentations.securityIssues and PRs related to security.urlIssues and PRs related to the legacy built-in url module.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions