fix: use new URL instead of url.parse (#22)

eggjs · Nov 14, 2019 · 7990aa7 · 7990aa7
1 parent 7ae83b3
commit 7990aa7
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 4 deletions.
diff --git a/app.js b/app.js
@@ -1,6 +1,7 @@
 'use strict';
 
-const url = require('url');
+// there is no global.URL in node 8
+const URL = require('url').URL;
 
 module.exports = app => {
   // put before other core middlewares
@@ -12,8 +13,16 @@ module.exports = app => {
     const origin = ctx.get('origin');
     if (!origin) return '';
 
-    const parsedUrl = url.parse(origin);
-    if (!ctx.isSafeDomain || ctx.isSafeDomain(parsedUrl.hostname) || ctx.isSafeDomain(origin)) {
+    if (typeof ctx.isSafeDomain !== 'function') return origin;
+
+    let parsedUrl;
+    try {
+      parsedUrl = new URL(origin);
+    } catch (err) {
+      return '';
+    }
+
+    if (ctx.isSafeDomain(parsedUrl.hostname) || ctx.isSafeDomain(origin)) {
       return origin;
     }
     return '';

diff --git a/appveyor.yml b/appveyor.yml
@@ -2,6 +2,7 @@ environment:
   matrix:
     - nodejs_version: '8'
     - nodejs_version: '10'
+    - nodejs_version: '12'
 
 install:
   - ps: Install-Product node $env:nodejs_version

diff --git a/package.json b/package.json
@@ -50,7 +50,7 @@
     "url": "https://github.com/eggjs/egg/issues"
   },
   "ci": {
-    "version": "8, 10"
+    "version": "8, 10, 12"
   },
   "author": "dead_horse"
 }
diff --git a/test/cors.test.js b/test/cors.test.js
@@ -108,4 +108,28 @@ describe('test/cors.test.js', () => {
       })
       .expect(200);
   });
+
+  it('should not set `Access-Control-Allow-Origin` when origin = http://eggjs.org!.evil.com', () => {
+    app.mockCsrf();
+    return request(app.callback())
+      .get('/')
+      .set('Origin', 'http://eggjs.org!.evil.com')
+      .expect(res => {
+        assert(!res.headers['access-control-allow-origin']);
+        assert(!res.headers['access-control-allow-credentials']);
+      })
+      .expect(200);
+  });
+
+  it('should not set `Access-Control-Allow-Origin` when origin = /foo', () => {
+    app.mockCsrf();
+    return request(app.callback())
+      .get('/')
+      .set('Origin', '/foo')
+      .expect(res => {
+        assert(!res.headers['access-control-allow-origin']);
+        assert(!res.headers['access-control-allow-credentials']);
+      })
+      .expect(200);
+  });
 });