doc: correct unsafe URL example in http docs (!52555) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/mlegenhausen/fix-unsafe-url-parse-docs into main Apr 16, 2024

Co-authored-by: @astlouisf Co-authored-by: @samhh

The previous documentation example for converting request.url to an URL object was unsafe, as it could allow a server crash through malformed URL inputs and potentially enable host header attacks.

This commit revises the example to use string concatenation over the usage of the baseUrl and removes the usage of the req.headers.host as the authority part of the url, mitigating both the crash and security risks by ensuring the host part of the URL remains controlled and predictable.

Fixes #52494 (closed) Successor of #52536

Admin message

Admin message

doc: correct unsafe URL example in http docs

Merge request reports