Skip to content

url: process crash via malformed UNC hostname in pathToFileURL()#62574

Open
NickNaso wants to merge 3 commits intonodejs:mainfrom
NickNaso:issues-62546
Open

url: process crash via malformed UNC hostname in pathToFileURL()#62574
NickNaso wants to merge 3 commits intonodejs:mainfrom
NickNaso:issues-62546

Conversation

@NickNaso
Copy link
Copy Markdown
Member

@NickNaso NickNaso commented Apr 3, 2026

This PR adds che check to verify for the valid hostname and if not throw ERR_INVALID_URL instead of crash the process with CHECK(out->set_hostname(hostname.ToStringView()));.

Fixes: #62546

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 3, 2026

Review requested:

  • @nodejs/url

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. whatwg-url Issues and PRs related to the WHATWG URL implementation. labels Apr 3, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.79%. Comparing base (5ff1eab) to head (3376145).
⚠️ Report is 41 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62574      +/-   ##
==========================================
+ Coverage   89.69%   89.79%   +0.10%     
==========================================
  Files         695      697       +2     
  Lines      214417   215776    +1359     
  Branches    41059    41301     +242     
==========================================
+ Hits       192321   193760    +1439     
+ Misses      14156    14115      -41     
+ Partials     7940     7901      -39
Files with missing lines Coverage Δ
src/node_url.cc 78.74% <100.00%> (+0.17%) ⬆️

... and 53 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

thisalihassan
thisalihassan reviewed Apr 7, 2026
View reviewed changes
src/node_url.cc Outdated
CHECK(args[0]->IsString()); // href
CHECK(args[1]->IsNumber()); // action type
CHECK(args[2]->IsString()); // new value
CHECK(args[0]->IsString()); // href
Copy link
Copy Markdown
Contributor

@thisalihassan thisalihassan Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you clean up whitespaces from the diff?

Renegade334
Renegade334 reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Renegade334 Renegade334 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but please revert the unrelated whitespace changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Renegade334 Renegade334 Renegade334 left review comments

+1 more reviewer

@thisalihassan thisalihassan thisalihassan left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. whatwg-url Issues and PRs related to the WHATWG URL implementation.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Assertion DoS in node:url via malformed UNC hostname in pathToFileURL() leads to process crash

4 participants

@NickNaso @nodejs-github-bot @Renegade334 @thisalihassan