fix: validate port in bee url (#1189)

slapec93 · Gergely Békési · web-flow · commit 70eaac62a2da · 2026-06-17T20:55:54.000+02:00
* fix: validate port in bee url

* test: cover port validation with tests

---------

Co-authored-by: Gergely Békési &lt;gergely.bekesi@ethswarm.org&gt;
diff --git a/src/utils/bad-ports.ts b/src/utils/bad-ports.ts
@@ -0,0 +1,89 @@
+/**
+ * Ports blocked by the WHATWG Fetch spec for HTTP/HTTPS requests.
+ *
+ * See: https://fetch.spec.whatwg.org/#port-blocking
+ */
+export const BAD_PORTS: string[] = [
+  '1',
+  '7',
+  '9',
+  '11',
+  '13',
+  '15',
+  '17',
+  '19',
+  '20',
+  '21',
+  '22',
+  '23',
+  '25',
+  '37',
+  '42',
+  '43',
+  '53',
+  '69',
+  '77',
+  '79',
+  '87',
+  '95',
+  '101',
+  '102',
+  '103',
+  '104',
+  '109',
+  '110',
+  '111',
+  '113',
+  '115',
+  '117',
+  '119',
+  '123',
+  '135',
+  '137',
+  '139',
+  '143',
+  '161',
+  '179',
+  '389',
+  '427',
+  '465',
+  '512',
+  '513',
+  '514',
+  '515',
+  '526',
+  '530',
+  '531',
+  '532',
+  '540',
+  '548',
+  '554',
+  '556',
+  '563',
+  '587',
+  '601',
+  '636',
+  '989',
+  '990',
+  '993',
+  '995',
+  '1719',
+  '1720',
+  '1723',
+  '2049',
+  '3659',
+  '4045',
+  '4190',
+  '5060',
+  '5061',
+  '6000',
+  '6566',
+  '6665',
+  '6666',
+  '6667',
+  '6668',
+  '6669',
+  '6679',
+  '6697',
+  '10080',
+]
diff --git a/src/utils/url.ts b/src/utils/url.ts
@@ -1,3 +1,4 @@
+import { BAD_PORTS } from './bad-ports'
 import { BeeArgumentError } from './error'
 
 /**
@@ -21,6 +22,29 @@ export function isValidBeeUrl(url: unknown): url is URL {
   }
 }
 
+/**
+ * Validates that passed string is valid port to use Bee and is not a bad port.
+ * We support only HTTP and HTTPS protocols. Bad ports are defined in
+ * the WHATWG Fetch spec (https://fetch.spec.whatwg.org/#port-blocking)
+ * and are blocked for HTTP/HTTPS requests.
+ *
+ * @param port
+ */
+
+export function isValidBeePort(port: unknown): port is string {
+  if (typeof port !== 'string') {
+    return false
+  }
+
+  if (BAD_PORTS.includes(port)) {
+    return false
+  }
+
+  const portNumber = parseInt(port, 10)
+
+  return portNumber > 0 && portNumber < 65536 && !isNaN(portNumber)
+}
+
 /**
  * Validates that passed string is valid URL of Bee, if not it throws BeeArgumentError.
  * We support only HTTP and HTTPS protocols.
@@ -31,6 +55,12 @@ export function assertBeeUrl(url: unknown): asserts url is URL {
   if (!isValidBeeUrl(url)) {
     throw new BeeArgumentError('URL is not valid!', url)
   }
+
+  const port = new URL(url as unknown as string).port
+
+  if (port && !isValidBeePort(port)) {
+    throw new BeeArgumentError('Port in URL is considered bad port and cannot be used!', port)
+  }
 }
 
 /**
diff --git a/test/unit/url.spec.ts b/test/unit/url.spec.ts
@@ -0,0 +1,14 @@
+import { Bee } from '../../src'
+import { assertBeeUrl } from '../../src/utils/url'
+
+describe('URL utils', () => {
+  test('when URL contains bad port, assertBeeUrl throws', () => {
+    expect(() => assertBeeUrl('http://localhost:25')).toThrow('Port in URL is considered bad port and cannot be used!')
+    expect(() => assertBeeUrl('http://localhost:69')).toThrow('Port in URL is considered bad port and cannot be used!')
+  })
+
+  test('Bee constructor rejects bad ports', () => {
+    expect(() => new Bee('http://localhost:25')).toThrow('Port in URL is considered bad port and cannot be used!')
+    expect(() => new Bee('http://localhost:69')).toThrow('Port in URL is considered bad port and cannot be used!')
+  })
+})
