From 8bb3ca86d849267a2e22755d2fa3d0b338dc6a3c Mon Sep 17 00:00:00 2001 From: "Masahiro Miyashiro (3846masa)" <3846masahiro@gmail.com> Date: Sun, 23 Dec 2018 00:01:14 +0900 Subject: [PATCH] fix: regression in `checkHost` for checking Origin header (#1606) --- lib/Server.js | 7 ++++++- test/Validation.test.js | 13 +++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/lib/Server.js b/lib/Server.js index e1b2034acd..90494c99b1 100644 --- a/lib/Server.js +++ b/lib/Server.js @@ -646,7 +646,12 @@ Server.prototype.checkHost = function (headers, headerToCheck) { } // use the node url-parser to retrieve the hostname from the host-header. - const hostname = url.parse(`//${hostHeader}`, false, true).hostname; + const hostname = url.parse( + // if hostHeader doesn't have scheme, add // for parsing. + /^(.+:)?\/\//.test(hostHeader) ? hostHeader : `//${hostHeader}`, + false, + true, + ).hostname; // always allow requests with explicit IPv4 or IPv6-address. // A note on IPv6 addresses: // hostHeader will always contain the brackets denoting diff --git a/test/Validation.test.js b/test/Validation.test.js index 12c54d7e83..8dc0f98cb6 100644 --- a/test/Validation.test.js +++ b/test/Validation.test.js @@ -171,6 +171,19 @@ describe('Validation', () => { } }); + it('should allow urls with scheme for checking origin', () => { + const options = { + public: 'test.host:80' + }; + const headers = { + origin: 'https://test.host' + }; + const server = new Server(compiler, options); + if (!server.checkHost(headers, 'origin')) { + throw new Error("Validation didn't fail"); + } + }); + describe('allowedHosts', () => { it('should allow hosts in allowedHosts', () => { const tests = [