From ade134119bf1fdc4909d00f5a952c966f0075ad3 Mon Sep 17 00:00:00 2001 From: Yaraslau Kurmyza Date: Mon, 2 May 2022 13:47:12 +0200 Subject: [PATCH] Parse URLs using stdlib --- lib/utils.js | 22 ++++++++++++---------- test/server.js | 14 ++++++++++++++ test/utils.js | 6 +++--- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/lib/utils.js b/lib/utils.js index 60d8219..a2a3094 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -4,6 +4,7 @@ const Sntp = require('sntp'); const Boom = require('boom'); +const Url = require('url'); // Declare internals @@ -22,12 +23,6 @@ exports.limits = { }; -// Extract host and port from request - -// $1 $2 -internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/; // (IPv4, hostname)|(IPv6) - - exports.parseHost = function (req, hostHeaderName) { hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host'); @@ -40,14 +35,21 @@ exports.parseHost = function (req, hostHeaderName) { return null; } - const hostParts = hostHeader.match(internals.hostHeaderRegex); - if (!hostParts) { + if (hostHeader.indexOf('/') !== -1) { return null; } + let uri; + try { + uri = new Url.URL('http://' + hostHeader); + } + catch (err) { + return null; + } + return { - name: hostParts[1], - port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80)) + name: uri.hostname, + port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80)) }; }; diff --git a/test/server.js b/test/server.js index 39e66e6..3ef23d6 100755 --- a/test/server.js +++ b/test/server.js @@ -551,6 +551,20 @@ describe('Server', () => { }); }); + it('errors on an bad host header (includes path and query)', async () => { + + const req = { + method: 'GET', + url: '/resource/4?filter=a', + headers: { + host: 'example.com:8080/path?x=z', + authorization: 'Hawk' + } + }; + + await expect(Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() })).to.reject('Invalid Host header'); + }); + it('errors on an bad host header (pad port)', (done) => { const req = { diff --git a/test/utils.js b/test/utils.js index 6182609..98f2422 100755 --- a/test/utils.js +++ b/test/utils.js @@ -64,7 +64,7 @@ describe('Utils', () => { method: 'POST', url: '/resource/4?filter=a', headers: { - host: '[123:123:123]', + host: '[123:123::123]', 'content-type': 'text/plain;x=y' }, connection: { @@ -82,7 +82,7 @@ describe('Utils', () => { method: 'POST', url: '/resource/4?filter=a', headers: { - host: '[123:123:123]:8000', + host: '[123:123::123]:8000', 'content-type': 'text/plain;x=y' }, connection: { @@ -92,7 +92,7 @@ describe('Utils', () => { const host = Hawk.utils.parseHost(req, 'Host'); expect(host.port).to.equal('8000'); - expect(host.name).to.equal('[123:123:123]'); + expect(host.name).to.equal('[123:123::123]'); done(); }); -- 2.23.0