fix: decodes url.username and url.password for authorization header

This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: nodejs#31439
lewgordon · Jul 8, 2021 · 5744688 · 5744688
1 parent c6d9d8a
commit 5744688
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 1 deletion.
diff --git a/doc/api/http.md b/doc/api/http.md
@@ -2803,6 +2803,10 @@ This can be overridden for servers and client requests by passing the
 <!-- YAML
 added: v0.3.6
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/39310
+    description: When using a `URL` object parsed username and
+                 password will now be properly URI decoded.
   - version:
       - v15.3.0
       - v14.17.0

diff --git a/doc/api/https.md b/doc/api/https.md
@@ -251,6 +251,10 @@ Global instance of [`https.Agent`][] for all HTTPS client requests.
 <!-- YAML
 added: v0.3.6
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/39310
+    description: When using a `URL` object parsed username
+                 and password will now be properly URI decoded.
   - version:
     - v14.1.0
     - v13.14.0

diff --git a/lib/internal/url.js b/lib/internal/url.js
@@ -1303,7 +1303,7 @@ function urlToHttpOptions(url) {
     options.port = Number(url.port);
   }
   if (url.username || url.password) {
-    options.auth = `${url.username}:${url.password}`;
+    options.auth = `${decodeURIComponent(url.username)}:${decodeURIComponent(url.password)}`;
   }
   return options;
 }

diff --git a/test/parallel/test-http-decoded-auth.js b/test/parallel/test-http-decoded-auth.js
@@ -0,0 +1,33 @@
+'use strict';
+require('../common');
+const assert = require('assert');
+const http = require('http');
+
+const testCases = [
+    {username: 'test@test"', password: '123456^', expected: 'dGVzdEB0ZXN0IjoxMjM0NTZe'},
+    {username: 'test%40test', password: '123456', expected: 'dGVzdEB0ZXN0OjEyMzQ1Ng=='},
+    {username: 'not%3Agood', password: 'god', expected: 'bm90Omdvb2Q6Z29k'},
+    {username: 'not%22good', password: 'g%5Eod', expected: 'bm90Imdvb2Q6Z15vZA=='},
+    {username: 'test1234::::', password: 'mypass', expected: 'dGVzdDEyMzQ6Ojo6Om15cGFzcw=='}
+]
+
+for (const testCase of testCases) {
+    function check(request) {
+        // The correct authorization header is be passed
+        assert.strictEqual(request.headers.authorization, `Basic ${testCase.expected}`);
+    }
+
+    const server = http.createServer(function(request, response) {
+        // Run the check function
+        check(request);
+        response.writeHead(200, {});
+        response.end('ok');
+        server.close();
+    });
+
+    server.listen(0, function() {
+        // make the request
+        const url = new URL(`http://${testCase.username}:${testCase.password}@localhost:${this.address().port}`);
+        http.request(url).end();
+    });
+}