Hardened isNotURL / isURL code in urlutil.js #6086
Conversation
Fixes #5911 (which was unintentionally introduced with #4546) Also fixes these cases (no issues created yet): - view-source/mail-to/etc were not checking from beginning of string - ensures input is string (preventing failing call to trim()) And adds missing tests for: - checking localhost toLowerCase() - checking basic auth formatted URI (with and without protocol) - is input a string - each type of special page - partial bad matches on special pages Also updates tests for isURL to ensure value is always negated version of isNotURL Auditors: @bbondy, @darkdh, @diracdeltas Since this code has a very large potential impact (everything from the URL bar calls this for example), please review and help make sure I covered everything safely :) Unit test: `npm run unittest -- --grep="urlutil" Webdriver test: `npm run uitest -- --grep="when following URLs"`
| // for cases: | ||
| // - starts with "?" or "." | ||
| // - contains "? " | ||
| // - ends with "." (and was not preceded by a /) |
There was a problem hiding this comment.
type 123/123. will be search string on other browsers
There was a problem hiding this comment.
fixed in cd71e0e and test is also covered. Mainly changing logic of end with period, which is
brave.com/123. will be url and brave/com/123. will not
| assert.equal(UrlUtil.isNotURL('brave.com/test/cc?_ri_=3vv-8-e.'), false) | ||
| }) | ||
| it('ends with period (input contains only a forward slash)', function () { | ||
| assert.equal(UrlUtil.isNotURL('brave/com/test/cc?_ri_=3vv-8-e.'), true) |
There was a problem hiding this comment.
Testing for an extra . might not be a good idea, because folks may use Brave to browse their intranet. It's not a best practice, but many folks will setup a host file entry and access hosts by computer name (instead of domain)
There was a problem hiding this comment.
actually- I think this behavior might be OK! I am almost positive you are correct about the other behavior (because it's happened to me so many times 😛 ) When prefixed with protocol, it validates just fine: cd88861
|
i'm not sure why we are using regexes and |
I didn't write this original code but really it's more about heuristics about if a user meant to type a url or not. For example For example |
|
The second example has host not filled in by the way |
| // for cases, pure string | ||
| const case3Reg = /[\?\.\/\s:]/ | ||
| // for cases, data:uri, view-source:uri and about | ||
| const case4Reg = /^data:|view-source:|mailto:|about:|chrome-extension:|magnet:.*/ | ||
| const case4Reg = /^(data|view-source|mailto|about|chrome-extension|magnet):.*/ |
|
@bbondy i figured, but i was hoping we could just do urlParse after normalizing the input; i will open a separate issue |
git rebase -ito squash commits (if needed).Fixes #5911
(which was unintentionally introduced with #4546)
Also fixes these cases (no issues created yet):
And adds missing tests for:
Also updates tests for isURL to ensure value is always negated version of isNotURL
Auditors
@bbondy, @darkdh, @diracdeltas
Since this code has a very large potential impact (everything from the URL bar calls this for example), please review and help make sure I covered everything safely :)
Unit test
npm run unittest -- --grep="urlutil"Webdriver test