passing a bare hostname for "url" causes client to connect to "localhost"
jclulow opened this issue · 1 comments
If consumers of the client pass a bare hostname for the url
option to the client factory methods, the resulting client will unfortunately make requests to localhost.
This appears to be a result of lax checking of the output from the borderline byzantine url.parse()
provided as part of the Node standard library. For example, if the value server.example.com
is provided as url
, the following is the parsed result:
{
"protocol": null,
"slashes": null,
"auth": null,
"host": null,
"port": null,
"hostname": null,
"hash": null,
"search": null,
"query": null,
"pathname": "server.example.com",
"path": "server.example.com",
"href": "server.example.com"
}
This is so wrong as to be actively dangerous. One need not think for a long time to imagine security issues that could result from convincing a poorly constructed application to make requests against itself.
I think we should probably check the value of protocol
to make sure it is either "http:"
or "https:"
. If not, we should likely throw.
+1, I too have been bitten by this. The resulting behavior is also not immediately obvious.