Reject non-IPv4 hostnames that end in numbers.

nodejs · Jun 3, 2022 · 83b70c6 · 83b70c6
1 parent 5b6f280
commit 83b70c6
Showing 1 changed file with 31 additions and 9 deletions.
diff --git a/src/node_url.cc b/src/node_url.cc
@@ -3,6 +3,7 @@
 #include "node_errors.h"
 #include "node_external_reference.h"
 #include "node_i18n.h"
+#include "util.h"
 #include "util-inl.h"
 
 #include <cmath>
@@ -58,7 +59,7 @@ class URLHost {
  public:
   ~URLHost();
 
-  void ParseIPv4Host(const char* input, size_t length, bool* is_ipv4);
+  void ParseIPv4Host(const char* input, size_t length);
   void ParseIPv6Host(const char* input, size_t length);
   void ParseOpaqueHost(const char* input, size_t length);
   void ParseHost(const char* input,
@@ -401,9 +402,33 @@ int64_t ParseNumber(const char* start, const char* end) {
   return strtoll(start, nullptr, R);
 }
 
-void URLHost::ParseIPv4Host(const char* input, size_t length, bool* is_ipv4) {
+bool EndsInANumber(std::string& str) {
+  std::vector<std::string> parts = SplitString(str, '.');
+  if (parts.size() == 0)
+    return false;
+
+  if (parts.back() == "") {
+    if (parts.size() == 1)
+      return false;
+    parts.pop_back();
+  }
+
+  const std::string& last_part = parts.back();
+
+  int64_t num = ParseNumber(last_part.c_str(), last_part.c_str() + last_part.size());
+  if (num >= 0)
+    return true;
+
+  if (last_part.find_first_not_of("0123456789") == std::string::npos) {
+    return true;
+  }
+
+  return false;
+}
+
+
+void URLHost::ParseIPv4Host(const char* input, size_t length) {
   CHECK_EQ(type_, HostType::H_FAILED);
-  *is_ipv4 = false;
   const char* pointer = input;
   const char* mark = input;
   const char* end = pointer + length;
@@ -436,7 +461,6 @@ void URLHost::ParseIPv4Host(const char* input, size_t length, bool* is_ipv4) {
     pointer++;
   }
   CHECK_GT(parts, 0);
-  *is_ipv4 = true;
 
   // If any but the last item in numbers is greater than 255, return failure.
   // If the last item in numbers is greater than or equal to
@@ -508,11 +532,9 @@ void URLHost::ParseHost(const char* input,
     }
   }
 
-  // Check to see if it's an IPv4 IP address
-  bool is_ipv4;
-  ParseIPv4Host(decoded.c_str(), decoded.length(), &is_ipv4);
-  if (is_ipv4)
-    return;
+  if (EndsInANumber(decoded)) {
+    return ParseIPv4Host(decoded.c_str(), decoded.length());
+  }
 
   // If the unicode flag is set, run the result through punycode ToUnicode
   if (unicode && !ToUnicode(decoded, &decoded))