Node: Invalid URL

Created on 16 Oct 2018  路  11Comments  路  Source: nodejs/node
  • Version: v10.8.0
  • Platform: Darwin
  • Subsystem:

This works fine in the browser but fails in node

new URL('http://xn--www-4m0aa.hergivenhair.com/?y=MAKEBA112')

TypeError [ERR_INVALID_URL]: Invalid URL: http://xn--www-4m0aa.hergivenhair.com/?y=MAKEBA112
    at onParseError (internal/url.js:237:17)
    at parse (internal/url.js:246:3)
    at new URL (internal/url.js:321:5)
whatwg-url
Source
picture jimmywarting

Most helpful comment

xn--www-4m0aa decoded is \u200B\u200Bwww. U+200B is the zero-width space.

From a security perspective, I'd say it's right it gets rejected, otherwise it's easy to create URLs that look identical visually.

picture bnoordhuis on 16 Oct 2018
👍5

All 11 comments

Browsers appear to be giving this a bit more leniency but the URL does not appear to be valid punycode.

@TimothyGu ... thoughts?

jasnell picture jasnell on 16 Oct 2018

The whatwg-url module also throws with this URL.

targos picture targos on 16 Oct 2018

@jimmywarting what is the original utf-8 name of the domain?

targos picture targos on 16 Oct 2018

it seems this URL isn't correct one.

screenshot from 2018-10-16 13-26-51

indobits picture indobits on 16 Oct 2018

@jimmywarting I scanned your domain but I didn't find this subdomain "xn--www-4m0aa"

screenshot from 2018-10-16 13-34-58

Pentest-Tools

indobits picture indobits on 16 Oct 2018

@jimmywarting what is the original utf-8 name of the domain?

Don't know... there was a bit.ly url that redirects

https://bitly.com/hergivenhairKeeb+

I was looking into this PR https://github.com/bitinn/node-fetch/pull/532
I thought that instead of just throwing a error, i thought: how can we handle it and potentially fix it?

jimmywarting picture jimmywarting on 16 Oct 2018
👍1

xn--www-4m0aa decoded is \u200B\u200Bwww. U+200B is the zero-width space.

From a security perspective, I'd say it's right it gets rejected, otherwise it's easy to create URLs that look identical visually.

bnoordhuis picture bnoordhuis on 16 Oct 2018
👍5

So everyone here seems to be saying that it's a invalid punycode url. So is Node doing this correctly and the browser dose not?

jimmywarting picture jimmywarting on 16 Oct 2018

Correct. The browsers seem to be falling back to a lenient parse mode that does not actually try to interpret the invalid punycode.

jasnell picture jasnell on 16 Oct 2018

Agreed with all of the above. Note, the latest whatwg-url package also throws when this URL is parsed.

TimothyGu picture TimothyGu on 17 Oct 2018

Closing this as there is consensus that this is not a bug in node.js

jasnell picture jasnell on 17 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

vsemozhetbyt picture vsemozhetbyt  路  3Comments
dfahlander picture dfahlander  路  3Comments
seishun picture seishun  路  3Comments
loretoparisi picture loretoparisi  路  3Comments
willnwhite picture willnwhite  路  3Comments