url: fix url.parse() for @hostname

[Trott]

Make url.parse() behave more like browsers and WHATWHG URL when dealing
with URLs that have the format http:@example.com. This is the same as
http://example.com.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/42790/

[RaisinTen]

Instead of fixing the legacy api, shouldn't we help users migrate to the WHATWG url api which we recommend in the docs?

[lpinca]

No objections but I think special casing @ does not make much sense. It should do the same for http:example.com, http:/example.com, http:\example.com, http://////////example.com, etc.

It should ignore all forward and backward slashes for special protocols.

[Trott]

Instead of fixing the legacy api, shouldn't we help users migrate to the WHATWG url api which we recommend in the docs?

I think we should do both if:

• The bug in the legacy API could plausibly have security implications.
• The bug in the legacy API can be fixed in an otherwise backward-compatible way.
• There is someone willing to do the fix.

[Trott]

No objections but I think special casing @ does not make much sense. It should do the same for http:example.com, http:/example.com, http:\example.com, http://////////example.com, etc.

Oh, yes, very much so. Let me throw this into draft mode and see if I can address all those other kinds of edge cases without breaking existing tests/usage.

[RaisinTen]

Instead of fixing the legacy api, shouldn't we help users migrate to the WHATWG url api which we recommend in the docs?

I think we should do both if:

• The bug in the legacy API could plausibly have security implications.
• The bug in the legacy API can be fixed in an otherwise backward-compatible way.
• There is someone willing to do the fix.

According to

node/doc/api/url.md

Lines 1562 to 1565 in aa97c9d

	use the WHATWG `URL` API. Because the `url.parse()` method uses a
	lenient, non-standard algorithm for parsing URL strings, security
	issues can be introduced. Specifically, issues with [host name spoofing][] and
	incorrect handling of usernames and passwords have been identified.

it is a known source of bugs and fixing those would motivate users to keep using them and that defeats the purpose of labelling it as a legacy API, right? Why would people move to the WHATWG URL API if we accept fixes for the legacy API?

[Trott]

it is a known source of bugs and fixing those would motivate users to keep using them and that defeats the purpose of labelling it as a legacy API, right? Why would people move to the WHATWG URL API if we accept fixes for the legacy API?

A lot of people are using url.parse() through dependencies and aren't even aware they're using it.

We should not refuse fixes for an insecure API as a way of making users move to a newer API. (I'm not saying we have to do the fixes ourselves. But refusing to land a provided fix seems hostile.)

If we want to provide stronger encouragement for people to move off of url.parse() and to stop using libraries that use url.parse(), then we need to introduce a runtime deprecation or some other mechanism. Telling people that they should have read the documentation warning (which likely didn't exist when they wrote their code in the first place) is not how I want to see Node.js managed.

[Trott]

Oh, yes, very much so. Let me throw this into draft mode and see if I can address all those other kinds of edge cases without breaking existing tests/usage.

That will be a breaking change, so I'm going to open that as a follow-on PR and leave this one as-is.

[Trott]

Follow on PR with breaking changes: #42140

[RaisinTen]

We should not refuse fixes for an insecure API as a way of making users move to a newer API. (I'm not saying we have to do the fixes ourselves. But refusing to land a provided fix seems hostile.)

Does that mean that url.parse() is supposed to be treated the same way as any non-legacy stable API until it gets runtime-deprecated?

[RaisinTen]

That will be a breaking change, so I'm going to open that as a follow-on PR and leave this one as-is.

According to #42136 (comment), one of the scenarios when we should go ahead with the fix is when:

The bug in the legacy API can be fixed in an otherwise backward-compatible way.

but that fix is a breaking change. Isn't that contradictory?

[Trott]

Does that mean that url.parse() is supposed to be treated the same way as any non-legacy stable API until it gets runtime-deprecated?

Potential security problems in url.parse() tend to be answered with "don't use url.parse()" rather than "we need to do a security release and issue a CVE". So that's one difference in the way they are treated.

[Trott]

but that fix is a breaking change. Isn't that contradictory?

To be clear for anyone following along, we're talking about a different PR at this point. This question is about #42140. That PR is a breaking change, but this one is not.

That set of conditions was a sufficient set of conditions, not a necessary set of conditions. In other words, we can choose to break legacy APIs in major releases. There is a lot to weigh there: Disruption to users and the ecosystem vs. moving url.parse() to a more standardized (and arguably less bug-prone) state. I won't be surprised if we choose not to do it.

[RaisinTen]

cc @nodejs/url

[RaisinTen]

Seems reasonable to me, approving!

[Trott]

@nodejs/url Anyone want to be the second approval for this?

[Trott]

Please don't add the commit-queue label to this one. I'll need to edit the commit message before landing to add some information. Thanks!

[Trott]

Landed in 010cb71

[arcanis]

This diff seems to break Yarn classic which does url.resolve('https://registry.npmjs.org', '@foo/bar').

Node 17.6: https://registry.npmjs.org/@foo/bar
Node 17.7: https://foo/bar

[aduh95]

Should we revert?

[arcanis]

I've landed a fix in Yarn (url.resolve(..., './@foo/bar')), but it'll take time until people upgrade, and the error message will be very confusing in the meantime. I'd personally suggest to either revert or special-case this pattern (resolve called with @ as leading character in the subpath components), if possible 😕

[aduh95]

PR to revert: #42280

@arcanis FYI adding Yarn (both classic and Berry) to https://github.com/nodejs/citgm could help catch this kind of regressions before we release new versions of Node.js, I think it's worth considering. (and if Yarn is already on the CITGM list, we'd need to investigate why the failure wasn't caught up on the release run https://ci.nodejs.org/job/citgm-smoker/2869/)

[unerh]

Hi,
Are there any intentions in pushing this to v14 and v16, as Snyk scan reports a vulnerability on this:
https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-2440551

and the preference in my org is to use LTS versions.
Thanks

[aduh95]

There’s no intention of backporting this to LTS releases, it’s a breaking change that has been reverted, and that we are not interested in landing anymore. Snyk report is wrong when it says Node.js 17.7.1 is not affected (it is, we have reverted the fix on that version), and is wrong when it calls it a vulnerability.

FYI that Snyk report is only about the legacy URL parser, if you are using the WHATWG one, you can safely ignore that quirk.

[mcollina]

I would also note that this is not a vulnerability. We have analyzed this in great detail and it's not a problem.