unshiftio · May 13, 2021 · May 15, 2021 · May 18, 2021 · Jun 3, 2021 · Jul 24, 2021
Showing with 648 additions and 70 deletions.

+39 −0 .github/workflows/ci.yml

+0 −25 .travis.yml

+9 −3 README.md

+25 −0 SECURITY.md

+140 −26 index.js

+4 −5 package.json

+1 −1 test/browser.js

+430 −10 test/test.js
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,39 @@
+name: CI
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node:
+          - 12
+          - 14
+          - 16
+          - 17
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: ${{ matrix.node }}
+      - run: npm install
+      - run: npm test
+      - uses: coverallsapp/github-action@1.1.3
+        if: matrix.node == 12
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+  test-browser:
+    runs-on: ubuntu-latest
+    env:
+      SAUCE_USERNAME: url-parse
+      SAUCE_ACCESS_KEY: ${{ secrets.SAUCE_ACCESS_KEY }}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 12
+      - run: npm install
+      - run: npm run test-browser
diff --git a/.travis.yml b/.travis.yml
diff --git a/README.md b/README.md
@@ -1,9 +1,15 @@
 # url-parse
 
-[![Made by unshift](https://img.shields.io/badge/made%20by-unshift-00ffcc.svg?style=flat-square)](http://unshift.io)[![Version npm](https://img.shields.io/npm/v/url-parse.svg?style=flat-square)](https://www.npmjs.com/package/url-parse)[![Build Status](https://img.shields.io/travis/unshiftio/url-parse/master.svg?style=flat-square)](https://travis-ci.org/unshiftio/url-parse)[![Dependencies](https://img.shields.io/david/unshiftio/url-parse.svg?style=flat-square)](https://david-dm.org/unshiftio/url-parse)[![Coverage Status](https://img.shields.io/coveralls/unshiftio/url-parse/master.svg?style=flat-square)](https://coveralls.io/r/unshiftio/url-parse?branch=master)[![IRC channel](https://img.shields.io/badge/IRC-irc.freenode.net%23unshift-00a8ff.svg?style=flat-square)](https://webchat.freenode.net/?channels=unshift)
+[![Version npm](https://img.shields.io/npm/v/url-parse.svg?style=flat-square)](https://www.npmjs.com/package/url-parse)[![Build Status](https://img.shields.io/github/workflow/status/unshiftio/url-parse/CI/master?label=CI&style=flat-square)](https://github.com/unshiftio/url-parse/actions?query=workflow%3ACI+branch%3Amaster)[![Coverage Status](https://img.shields.io/coveralls/unshiftio/url-parse/master.svg?style=flat-square)](https://coveralls.io/r/unshiftio/url-parse?branch=master)
 
 [![Sauce Test Status](https://saucelabs.com/browser-matrix/url-parse.svg)](https://saucelabs.com/u/url-parse)
 
+**`url-parse` was created in 2014 when the WHATWG URL API was not available in
+Node.js and the `URL` interface was supported only in some browsers. Today this
+is no longer true. The `URL` interface is available in all supported Node.js
+release lines and basically all browsers. Consider using it for better security
+and accuracy.**
+
 The `url-parse` method exposes two different API interfaces. The
 [`url`](https://nodejs.org/api/url.html) interface that you know from Node.js
 and the new [`URL`](https://developer.mozilla.org/en-US/docs/Web/API/URL/URL)
@@ -80,8 +86,8 @@ The returned `url` instance contains the following properties:
 - `auth`: Authentication information portion (e.g. `username:password`).
 - `username`: Username of basic authentication.
 - `password`: Password of basic authentication.
-- `host`: Host name with port number.
-- `hostname`: Host name without port number.
+- `host`: Host name with port number. The hostname might be invalid.
+- `hostname`: Host name without port number. This might be an invalid hostname.
 - `port`: Optional port number.
 - `pathname`: URL path.
 - `query`: Parsed object containing query string, unless parsing is set to false.

diff --git a/SECURITY.md b/SECURITY.md
@@ -33,6 +33,29 @@ acknowledge your responsible disclosure, if you wish.
 
 ## History
 
+> Incorrect handling of username and password can lead to authorization bypass.
+
+- **Reporter credits**
+  - ranjit-git
+  - GitHub: [@ranjit-git](https://github.com/ranjit-git)
+- Huntr report: https://www.huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b/
+- Fixed in: 1.5.6
+
+---
+
+> url-parse mishandles certain uses of a single (back) slash such as https:\ &
+> https:/ and interprets the URI as a relative path. Browsers accept a single
+> backslash after the protocol, and treat it as a normal slash, while url-parse
+> sees it as a relative path.
+
+- **Reporter credits**
+  - ready-research
+  - GitHub: [@ready-research](https://github.com/ready-research)
+- Huntr report: https://www.huntr.dev/bounties/1625557993985-unshiftio/url-parse/
+- Fixed in: 1.5.2
+
+---
+
 > Using backslash in the protocol is valid in the browser, while url-parse
 > thinks it’s a relative path. An application that validates a url using
 > url-parse might pass a malicious link.
@@ -42,6 +65,8 @@ acknowledge your responsible disclosure, if you wish.
   - Twitter: [Yaniv Nizry](https://twitter.com/ynizry)
 - Fixed in: 1.5.0
 
+---
+
 > The `extractProtocol` method does not return the correct protocol when
 > provided with unsanitized content which could lead to false positives.