Null bytes in url could cause some problems
Version
v16.6.0
Platform
Linux MAPLE 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86_64 GNU/Linux
Subsystem
url
What steps will reproduce the bug?
There are two bugs about null byte:
const url = require('url') const u = url.parse('http://[127.0.0.1\0c8763]:8000/') console.log(u.hostname) // '127.0.0.1\0c8763'
And the error will be:
Uncaught TypeError [ERR_INVALID_URL]: Invalid URL
at __node_internal_captureLargerStackTrace (node:internal/errors:464:5)
at new NodeError (node:internal/errors:371:5)
at onParseError (node:internal/url:536:9)
at new URL (node:internal/url:612:5) {
input: 'a',
code: 'ERR_INVALID_URL'
The error input is apprently truncated by the null byte.
How often does it reproduce? Is there a required condition?
I think this could only happen when attacker is trying to bypass some SSRF filter in some scenario, but I think it is almost unlikely to happen in realworld.
const url = require('url') const http = require('http') const u = url.parse('http://[127.0.0.1\0.github.io]:8000/') console.log(u) if (!u.hostname.endsWith('.github.io')) { console.log('Sorry, you can only fetch *.github.io') process.exit(1) } http.request( { host: u.hostname, // null byte truncated port: u.port, path: u.path, headers: { Host: 'xx' // http will automatically set host header by default, and \0 will cause an error in header } }, msg => { msg.on('data', data => { console.log(data.toString()) }) } ) .on('error', console.error) .end()
What is the expected behavior?
It should be invalid url, and http module shouldn't accept null byte.
What do you see instead?
Parsed successfully into a hostname with null byte.
Additional information
No response