Url-parse, a lightweight and versatile URL parsing library designed for seamless integration across Node.js and browser environments, has released version 1.5.6, building upon the solid foundation of its previous stable release, 1.5.5. While both versions share the same core dependencies – querystringify and requires-port – and development dependencies, a closer look reveals subtle yet noteworthy distinctions for developers.
The primary difference lies in the unpacked size of the package. Version 1.5.6 weighs in at 60550 bytes when unpacked, a slight increase from version 1.5.5's 58259 bytes. This suggests that the newer version likely includes minor enhancements, bug fixes, or potentially updated documentation contributing to the larger footprint. Developers should consider this small size difference when evaluating the impact on their project's bundle size, especially in performance-critical applications.
Both versions maintain the same MIT license, ensuring broad compatibility and freedom for developers. The repository remains consistent, hosted on GitHub under the unshiftio organization. The consistent author information indicates continuity in maintenance and development. The release dates reveal that version 1.5.6 was published approximately 5 hours after version 1.5.5, implying a quick follow-up release, potentially addressing a discovered issue or incorporating last-minute improvements. These details are helpful for developers looking to understand the release history and potential motivations behind the update. Ultimately, url-parse provides a robust and reliable solution for URL manipulation.
All the vulnerabilities related to the version 1.5.6 of the package
url-parse Incorrectly parses URLs that include an '@'
A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular,
parse(\"http://@/127.0.0.1\")
Will return:
{
slashes: true,
protocol: 'http:',
hash: '',
query: '',
pathname: '/127.0.0.1',
auth: '',
host: '',
port: '',
hostname: '',
password: '',
username: '',
origin: 'null',
href: 'http:///127.0.0.1'
}
If the 'hostname' or 'origin' attributes of the output from url-parse are used in security decisions and the final 'href' attribute of the output is then used to make a request, the decision may be incorrect.
Authorization Bypass Through User-Controlled Key in url-parse
url-parse prior to version 1.5.8 is vulnerable to Authorization Bypass Through User-Controlled Key.
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.
Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL.
If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.
This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example:
const parse = require('url-parse')
const express = require('express')
const app = express()
const port = 3000
url = parse(\"\\bjavascript:alert(1)\")
console.log(url)
app.get('/', (req, res) => {
if (url.protocol !== \"javascript:\") {res.send(\"<a href=\\'\" + url.href + \"\\'>CLICK ME!</a>\")}
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})