Closed
Description
Version
v16.6.0
Platform
Linux MAPLE 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86_64 GNU/Linux
Subsystem
url
What steps will reproduce the bug?
There are two bugs about null byte:
const url = require('url')
const u = url.parse('http://[127.0.0.1\0c8763]:8000/')
console.log(u.hostname) // '127.0.0.1\0c8763'new URL('a\0b')And the error will be:
Uncaught TypeError [ERR_INVALID_URL]: Invalid URL
at __node_internal_captureLargerStackTrace (node:internal/errors:464:5)
at new NodeError (node:internal/errors:371:5)
at onParseError (node:internal/url:536:9)
at new URL (node:internal/url:612:5) {
input: 'a',
code: 'ERR_INVALID_URL'
The error input is apprently truncated by the null byte.
How often does it reproduce? Is there a required condition?
I think this could only happen when attacker is trying to bypass some SSRF filter in some scenario, but I think it is almost unlikely to happen in realworld.
const url = require('url')
const http = require('http')
const u = url.parse('http://[127.0.0.1\0.github.io]:8000/')
console.log(u)
if (!u.hostname.endsWith('.github.io')) {
console.log('Sorry, you can only fetch *.github.io')
process.exit(1)
}
http.request(
{
host: u.hostname, // null byte truncated
port: u.port,
path: u.path,
headers: {
Host: 'xx' // http will automatically set host header by default, and \0 will cause an error in header
}
},
msg => {
msg.on('data', data => {
console.log(data.toString())
})
}
)
.on('error', console.error)
.end()What is the expected behavior?
It should be invalid url, and http module shouldn't accept null byte.
What do you see instead?
Parsed successfully into a hostname with null byte.
Additional information
No response