Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect validation #31

Closed
hueniverse opened this issue Jul 10, 2020 · 3 comments
Closed

Incorrect validation #31

hueniverse opened this issue Jul 10, 2020 · 3 comments
Assignees
Labels
bug Bug or defect
Milestone

Comments

@hueniverse
Copy link
Contributor

hueniverse commented Jul 10, 2020

  • %-encoding is not actually verified to be correct in URIs
  • HTTP URIs are not restricted per URI spec (should only allow pathAbEmpty in hierPart
  • The domain in URIs is not validated (allows `http://example.com%2F')

Continued from hapijs/joi#2360

@hueniverse hueniverse added the bug Bug or defect label Jul 10, 2020
@kanongil
Copy link
Contributor

Fully-qualified hostnames (that end with a .), eg. hapi.dev. are handled as invalid (DOMAIN_EMPTY_SEGMENT).

@Marsup
Copy link
Collaborator

Marsup commented Oct 6, 2021

I think hapijs/joi#2685 also fits this issue. The punycode conversion decodes the %2e in this case.

@hueniverse hueniverse added this to the 4.1.3 milestone Dec 1, 2021
@hueniverse hueniverse self-assigned this Dec 1, 2021
@hueniverse
Copy link
Contributor Author

Decided to be conservative:

  • allow fully qualified domains only with flag allowFullyQualified
  • prevent punycode from converting %-encoded values in domain
  • prevent HTTP uris from having an empty domain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Bug or defect
Projects
None yet
Development

No branches or pull requests

3 participants