@@ -70,6 +70,125 @@ describe('req', function(){
7070 . expect ( '[::1]' , done ) ;
7171 } )
7272
73+ it ( 'should return undefined for a non-numeric port' , function ( done ) {
74+ var app = express ( ) ;
75+
76+ app . use ( function ( req , res ) {
77+ res . end ( String ( req . hostname ) ) ;
78+ } ) ;
79+
80+ request ( app )
81+ . post ( '/' )
82+ . set ( 'Host' , 'example.com:notaport' )
83+ . expect ( 'undefined' , done ) ;
84+ } )
85+
86+ it ( 'should return undefined for an IPv6 Host with a non-numeric port' , function ( done ) {
87+ var app = express ( ) ;
88+
89+ app . use ( function ( req , res ) {
90+ res . end ( String ( req . hostname ) ) ;
91+ } ) ;
92+
93+ request ( app )
94+ . post ( '/' )
95+ . set ( 'Host' , '[::1]:notaport' )
96+ . expect ( 'undefined' , done ) ;
97+ } )
98+
99+ describe ( 'with a Host header containing userinfo' , function ( ) {
100+ it ( 'should return the real host, not the userinfo prefix' , function ( done ) {
101+ var app = express ( ) ;
102+
103+ app . use ( function ( req , res ) {
104+ res . end ( req . hostname ) ;
105+ } ) ;
106+
107+ request ( app )
108+ . post ( '/' )
109+ . set ( 'Host' , 'evil.com:fake@legitimate.com:3000' )
110+ . expect ( 'legitimate.com' , done ) ;
111+ } )
112+
113+ it ( 'should ignore a userinfo section before the host' , function ( done ) {
114+ var app = express ( ) ;
115+
116+ app . use ( function ( req , res ) {
117+ res . end ( req . hostname ) ;
118+ } ) ;
119+
120+ request ( app )
121+ . post ( '/' )
122+ . set ( 'Host' , 'user@example.com' )
123+ . expect ( 'example.com' , done ) ;
124+ } )
125+
126+ it ( 'should strip the port after removing userinfo' , function ( done ) {
127+ var app = express ( ) ;
128+
129+ app . use ( function ( req , res ) {
130+ res . end ( req . hostname ) ;
131+ } ) ;
132+
133+ request ( app )
134+ . post ( '/' )
135+ . set ( 'Host' , 'user:pass@example.com:8080' )
136+ . expect ( 'example.com' , done ) ;
137+ } )
138+
139+ it ( 'should remove userinfo from an IPv6 Host' , function ( done ) {
140+ var app = express ( ) ;
141+
142+ app . use ( function ( req , res ) {
143+ res . end ( req . hostname ) ;
144+ } ) ;
145+
146+ request ( app )
147+ . post ( '/' )
148+ . set ( 'Host' , 'user@[::1]:8080' )
149+ . expect ( '[::1]' , done ) ;
150+ } )
151+
152+ it ( 'should use the host after the last "@" when several are present' , function ( done ) {
153+ var app = express ( ) ;
154+
155+ app . use ( function ( req , res ) {
156+ res . end ( req . hostname ) ;
157+ } ) ;
158+
159+ request ( app )
160+ . post ( '/' )
161+ . set ( 'Host' , 'a@b@example.com' )
162+ . expect ( 'example.com' , done ) ;
163+ } )
164+
165+ it ( 'should return undefined for an encoded userinfo separator' , function ( done ) {
166+ var app = express ( ) ;
167+
168+ app . use ( function ( req , res ) {
169+ res . end ( String ( req . hostname ) ) ;
170+ } ) ;
171+
172+ request ( app )
173+ . post ( '/' )
174+ . set ( 'Host' , 'evil.com:x%40legitimate.com' )
175+ . expect ( 'undefined' , done ) ;
176+ } )
177+
178+ it ( 'should return undefined when there is no host after the userinfo' , function ( done ) {
179+ var app = express ( ) ;
180+
181+ app . use ( function ( req , res ) {
182+ res . end ( String ( req . hostname ) ) ;
183+ } ) ;
184+
185+ request ( app )
186+ . post ( '/' )
187+ . set ( 'Host' , 'user@' )
188+ . expect ( 'undefined' , done ) ;
189+ } )
190+ } )
191+
73192 describe ( 'when "trust proxy" is enabled' , function ( ) {
74193 it ( 'should respect X-Forwarded-Host' , function ( done ) {
75194 var app = express ( ) ;
@@ -87,6 +206,22 @@ describe('req', function(){
87206 . expect ( 'example.com' , done ) ;
88207 } )
89208
209+ it ( 'should drop userinfo from a trusted X-Forwarded-Host' , function ( done ) {
210+ var app = express ( ) ;
211+
212+ app . enable ( 'trust proxy' ) ;
213+
214+ app . use ( function ( req , res ) {
215+ res . end ( req . hostname ) ;
216+ } ) ;
217+
218+ request ( app )
219+ . get ( '/' )
220+ . set ( 'Host' , 'localhost' )
221+ . set ( 'X-Forwarded-Host' , 'evil.com:fake@legitimate.com' )
222+ . expect ( 'legitimate.com' , done ) ;
223+ } )
224+
90225 it ( 'should ignore X-Forwarded-Host if socket addr not trusted' , function ( done ) {
91226 var app = express ( ) ;
92227
0 commit comments