Headline
CVE-2022-2217: Refactor codebase, upgrade dependencies · IonicaBizau/parse-url@21c72ab
Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0.
@@ -1,8 +1,10 @@ “use strict”
// Dependencies const parsePath = require(“parse-path”) , normalizeUrl = require(“normalize-url”)
/** * parseUrl * Parses the input url. @@ -12,7 +14,7 @@ const parsePath = require(“parse-path”) * @name parseUrl * @function * @param {String} url The input url. * @param {Boolean|Object} normalize Wheter to normalize the url or not. * @param {Boolean|Object} normalize Whether to normalize the url or not. * Default is `false`. If `true`, the url will * be normalized. If an object, it will be the * options object sent to [`normalize-url`](https://github.com/sindresorhus/normalize-url). @@ -21,21 +23,26 @@ const parsePath = require(“parse-path”) * * @return {Object} An object containing the following fields: * * - `protocols` (Array): An array with the url protocols (usually it has one element). * - `protocol` (String): The first protocol, `"ssh"` (if the url is a ssh url) or `"file"`. * - `port` (null|Number): The domain port. * - `resource` (String): The url domain (including subdomains). * - `user` (String): The authentication user (usually for ssh urls). * - `pathname` (String): The url pathname. * - `hash` (String): The url hash. * - `search` (String): The url querystring value. * - `href` (String): The input url. * - `query` (Object): The url querystring, parsed as object. * - `protocols` (Array): An array with the url protocols (usually it has one element). * - `protocol` (String): The first protocol, `"ssh"` (if the url is a ssh url) or `"file"`. * - `port` (null|Number): The domain port. * - `resource` (String): The url domain (including subdomains). * - `user` (String): The authentication user (usually for ssh urls). * - `pathname` (String): The url pathname. * - `hash` (String): The url hash. * - `search` (String): The url querystring value. * - `href` (String): The input url. * - `query` (Object): The url querystring, parsed as object. */ function parseUrl(url, normalize = false) { const parseUrl = (url, normalize = false) => {
// Constants const GIT_RE = /((git@|http(s)?:\/\/)([\w\.@]+)(\/|:))(([\~,\w,\-,\_,\/]+)(.git){0,1}((\/){0,1}))/
if (typeof url !== “string” || !url.trim()) { throw new Error(“Invalid url.”) }
if (normalize) { if (typeof normalize !== “object”) { normalize = { @@ -44,7 +51,21 @@ function parseUrl(url, normalize = false) { } url = normalizeUrl(url, normalize) }
const parsed = parsePath(url)
// Potential git-ssh urls if (parsed.protocol === “file”) { const matched = parsed.href.match(GIT_RE) if (matched) { parsed.protocols = [“ssh”] parsed.protocol = “ssh” parsed.resource = matched[4] parsed.user = “git” parsed.pathname = `/${matched[6]}` } }
return parsed; }
Related news
Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 6.0.1