http: decodes url.username and url.password for authorization header

Lew Gordon · targos · commit 2bc301dcff7f · 2021-09-04T15:14:39.000+02:00
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: #31439 PR-URL: #39310 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/doc/api/http.md b/doc/api/http.md
@@ -2767,6 +2767,10 @@ This can be overridden for servers and client requests by passing the
 <!-- YAML
 added: v0.3.6
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/39310
+    description: When using a `URL` object parsed username and
+                 password will now be properly URI decoded.
   - version: v14.17.0
     pr-url: https://github.com/nodejs/node/pull/36048
     description: It is possible to abort a request with an AbortSignal.
diff --git a/doc/api/https.md b/doc/api/https.md
@@ -251,6 +251,10 @@ Global instance of [`https.Agent`][] for all HTTPS client requests.
 <!-- YAML
 added: v0.3.6
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/39310
+    description: When using a `URL` object parsed username
+                 and password will now be properly URI decoded.
   - version: v14.1.0
     pr-url: https://github.com/nodejs/node/pull/32786
     description: The `highWaterMark` option is accepted now.
diff --git a/lib/internal/url.js b/lib/internal/url.js
@@ -1303,7 +1303,7 @@ function urlToHttpOptions(url) {
     options.port = Number(url.port);
   }
   if (url.username || url.password) {
-    options.auth = `${url.username}:${url.password}`;
+    options.auth = `${decodeURIComponent(url.username)}:${decodeURIComponent(url.password)}`;
   }
   return options;
 }
diff --git a/test/parallel/test-http-decoded-auth.js b/test/parallel/test-http-decoded-auth.js
@@ -0,0 +1,48 @@
+'use strict';
+require('../common');
+const assert = require('assert');
+const http = require('http');
+
+const testCases = [
+  {
+    username: 'test@test"',
+    password: '123456^',
+    expected: 'dGVzdEB0ZXN0IjoxMjM0NTZe'
+  },
+  {
+    username: 'test%40test',
+    password: '123456',
+    expected: 'dGVzdEB0ZXN0OjEyMzQ1Ng=='
+  },
+  {
+    username: 'not%3Agood',
+    password: 'god',
+    expected: 'bm90Omdvb2Q6Z29k'
+  },
+  {
+    username: 'not%22good',
+    password: 'g%5Eod',
+    expected: 'bm90Imdvb2Q6Z15vZA=='
+  },
+  {
+    username: 'test1234::::',
+    password: 'mypass',
+    expected: 'dGVzdDEyMzQ6Ojo6Om15cGFzcw=='
+  },
+];
+
+for (const testCase of testCases) {
+  const server = http.createServer(function(request, response) {
+    // The correct authorization header is be passed
+    assert.strictEqual(request.headers.authorization, `Basic ${testCase.expected}`);
+    response.writeHead(200, {});
+    response.end('ok');
+    server.close();
+  });
+
+  server.listen(0, function() {
+    // make the request
+    const url = new URL(`http://${testCase.username}:${testCase.password}@localhost:${this.address().port}`);
+    http.request(url).end();
+  });
+}

Original file line number	Diff line number	Diff line change
`@@ -1303,7 +1303,7 @@ function urlToHttpOptions(url) {`
`1303`	`1303`	`options.port = Number(url.port);`
`1304`	`1304`	`}`
`1305`	`1305`	`if (url.username \|\| url.password) {`
`1306`		- options.auth = `${url.username}:${url.password}`;
	`1306`	+ options.auth = `${decodeURIComponent(url.username)}:${decodeURIComponent(url.password)}`;
`1307`	`1307`	`}`
`1308`	`1308`	`return options;`
`1309`	`1309`	`}`