restify/clients

passing a bare hostname for "url" causes client to connect to "localhost"

jclulow opened this issue · 1 comments

If consumers of the client pass a bare hostname for the url option to the client factory methods, the resulting client will unfortunately make requests to localhost.

This appears to be a result of lax checking of the output from the borderline byzantine url.parse() provided as part of the Node standard library. For example, if the value server.example.com is provided as url, the following is the parsed result:

{
    "protocol": null,
    "slashes": null,
    "auth": null,
    "host": null,
    "port": null,
    "hostname": null,
    "hash": null,
    "search": null,
    "query": null,
    "pathname": "server.example.com",
    "path": "server.example.com",
    "href": "server.example.com"
}

This is so wrong as to be actively dangerous. One need not think for a long time to imagine security issues that could result from convincing a poorly constructed application to make requests against itself.

I think we should probably check the value of protocol to make sure it is either "http:" or "https:". If not, we should likely throw.

+1, I too have been bitten by this. The resulting behavior is also not immediately obvious.