fix(parseURL, hasProtocol, isScriptProtocol): ignore leading whitespaces

[danielroe]

🔗 Linked issue

❓ Type of change

• 📖 Documentation (updates to the documentation, readme, or JSdoc annotations)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

A couple of linked fixes with parsing protocols in URLs: https://url.spec.whatwg.org/#scheme-state

Thanks to @OhB00.

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

[codecov]

Codecov Report

Merging #170 (2e93dfb) into main (e600fc0) will increase coverage by 0.00%.
The diff coverage is 100.00%.

❗ Current head 2e93dfb differs from pull request most recent head 6b58388. Consider uploading reports for the commit 6b58388 to get more accurate results

@@           Coverage Diff           @@
##             main     #170   +/-   ##
=======================================
  Coverage   94.91%   94.92%           
=======================================
  Files           7        7           
  Lines         846      847    +1     
  Branches      177      177           
=======================================
+ Hits          803      804    +1     
  Misses         43       43           

Files Changed	Coverage Δ
src/parse.ts	100.00% <100.00%> (ø)
src/utils.ts	99.13% <100.00%> (ø)

[pi0]

Thanks for the PR @danielroe ❤️ I have pushed a few more fixes to always normalize/remove/ignore leading whitespaces as per spec and additional tests.

I am still worried about hasProcol and isScriptProtocol utils (silently) saying a bad input having protocol with a leading space. A better solution could be throwing an explicit error but since all our utils don't have an error let's see if it causes any further security issues. (i can't tell because we have currently no report scenarios)

---

Also thanks for reporting security issues as always @OhB00 ❤️ Please mention if you see any more possible issues with leading whitespace handling Also please consider reporting issues according to security policy (or discord!) so that we can have a chance to internally properly discuss possible actions before public disclosure.

[OhB00]

Thanks for the PR @danielroe ❤️ I have pushed a few more fixes to always normalize/remove/ignore leading whitespaces as per spec and additional tests.

I am still worried about hasProcol and isScriptProtocol utils (silently) saying a bad input having protocol with a leading space. A better solution could be throwing an explicit error but since all our utils don't have an error let's see if it causes any further security issues. (i can't tell because we have currently no report scenarios)

---

Also thanks for reporting security issues as always @OhB00 ❤️ Please mention if you see any more possible issues with leading whitespace handling Also please consider reporting issues according to security policy (or discord!) so that we can have a chance to internally properly discuss possible actions before public disclosure.

Apologies for not disclosing on Huntr, I did not originally view this as a security issue