.gitignore

@@ -1,6 +1,4 @@
 node_modules/
-.nyc_output/
 coverage/
 dist/
-npm-debug.log
 .tern-port

.npmrc

@@ -0,0 +1 @@
+package-lock=false

.travis.yml

@@ -1,23 +1,22 @@
-sudo: false
 language: node_js
 matrix:
   fast_finish: true
   include:
-    - node_js: "10"
+    - node_js: "14"
       env: SCRIPT=test
-    - node_js: "8"
+    - node_js: "12"
       env: SCRIPT=test
-    - node_js: "6"
+    - node_js: "10"
       env: SCRIPT=test
-    - node_js: "8"
+    - node_js: "12"
       env:
         - secure: IF01oyIKSs0C5dARdYRTilKnU1TG4zenjjEPClkQxAWIpUOxl9xcNJWDVEOPxJ/4pVt+pozyT80Rp7efh6ZiREJIQI1tUboBKSqZzSbnD5uViQNSbQ90PaDP0FIUc0IQ5o07W36rijBB0DTmtU1VofzN9PKkJO7XiSSXevI8RcM=
         - SAUCE_USERNAME=url-parse
         - SCRIPT=test-browser
 script:
   - "npm run ${SCRIPT}"
 after_script:
-  - 'if [ "${SCRIPT}" == "test" ]; then npm i coveralls@3 && cat coverage/lcov.info | coveralls; fi'
+  - 'if [ "${SCRIPT}" == "test" ]; then c8 report --reporter=text-lcov | coveralls; fi'
 notifications:
   irc:
     channels:

SECURITY.md

@@ -33,13 +33,22 @@ acknowledge your responsible disclosure, if you wish.
 
 ## History
 
+> Using backslash in the protocol is valid in the browser, while url-parse
+> thinks it’s a relative path. An application that validates a url using
+> url-parse might pass a malicious link.
+
+- **Reporter credits**
+  - CxSCA AppSec team at Checkmarx.
+  - Twitter: [Yaniv Nizry](https://twitter.com/ynizry)
+- Fixed in: 1.5.0
+
 > The `extractProtocol` method does not return the correct protocol when
 > provided with unsanitized content which could lead to false positives.
 
 - **Reporter credits**
   - Reported through our security email & Twitter interaction.
   - Twitter: [@ronperris](https://twitter.com/ronperris)
-  - Fixed in: 1.4.5
+- Fixed in: 1.4.5
 
 ---
 

index.js

@@ -2,8 +2,8 @@
 
 var required = require('requires-port')
   , qs = require('querystringify')
-  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
-  , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i
+  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:[\\/]+/
+  , protocolre = /^([a-z][a-z0-9.+-]*:)?([\\/]{1,})?([\S\s]*)/i
   , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
   , left = new RegExp('^'+ whitespace +'+');
 
@@ -115,12 +115,16 @@ function lolcation(loc) {
  */
 function extractProtocol(address) {
   address = trimLeft(address);
-  var match = protocolre.exec(address);
+
+  var match = protocolre.exec(address)
+    , protocol = match[1] ? match[1].toLowerCase() : ''
+    , slashes = !!(match[2] && match[2].length >= 2)
+    , rest =  match[2] && match[2].length === 1 ? '/' + match[3] : match[3];
 
   return {
-    protocol: match[1] ? match[1].toLowerCase() : '',
-    slashes: !!match[2],
-    rest: match[3]
+    protocol: protocol,
+    slashes: slashes,
+    rest: rest
   };
 }
 
@@ -280,6 +284,14 @@ function Url(address, location, parser) {
     url.pathname = resolve(url.pathname, location.pathname);
   }
 
+  //
+  // Default to a / for pathname if none exists. This normalizes the URL
+  // to always have a /
+  //
+  if (url.pathname.charAt(0) !== '/' && url.hostname) {
+    url.pathname = '/' + url.pathname;
+  }
+
   //
   // We should not add port numbers if they are already the default port number
   // for a given protocol. As the host also contains the port number we're going

package.json

@@ -1,12 +1,12 @@
 {
   "name": "url-parse",
-  "version": "1.4.7",
+  "version": "1.5.1",
   "description": "Small footprint URL parser that works seamlessly across Node.js and browser environments",
   "main": "index.js",
   "scripts": {
     "browserify": "rm -rf dist && mkdir -p dist && browserify index.js -s URLParse -o dist/url-parse.js",
     "minify": "uglifyjs dist/url-parse.js --source-map -cm -o dist/url-parse.min.js",
-    "test": "nyc --reporter=html --reporter=text mocha test/test.js",
+    "test": "c8 --reporter=html --reporter=text mocha test/test.js",
     "test-browser": "node test/browser.js",
     "prepublishOnly": "npm run browserify && npm run minify",
     "watch": "mocha --watch test/test.js"
@@ -39,8 +39,9 @@
   "devDependencies": {
     "assume": "^2.2.0",
     "browserify": "^16.2.3",
-    "mocha": "^6.1.4",
-    "nyc": "^14.0.0",
+    "c8": "^7.3.1",
+    "coveralls": "^3.1.0",
+    "mocha": "^8.0.1",
     "pre-commit": "^1.2.2",
     "sauce-browsers": "^2.0.0",
     "sauce-test": "^1.3.3",

test/browser.js

@@ -12,8 +12,8 @@ const platforms = sauceBrowsers([
   { name: 'firefox', version: ['oldest', 'latest'] },
   { name: 'internet explorer', version: 'oldest..latest' },
   { name: 'iphone', version: ['oldest', 'latest'] },
-  { name: 'safari', version: 'oldest..latest' },
-  { name: 'microsoftedge', version: 'oldest..latest' }
+  { name: 'safari', version: ['oldest', 'latest'] },
+  { name: 'microsoftedge', version: ['oldest', 'latest'] }
 ]).then((platforms) => {
   return platforms.map((platform) => {
     const ret = {

test/fuzzy.js

@@ -103,6 +103,8 @@ module.exports = function generate() {
     , key;
 
   spec.protocol = get('protocol');
+  spec.slashes = true;
+
   spec.hostname = get('hostname');
   spec.pathname = get('pathname');
 

test/test.js

@@ -83,6 +83,20 @@ describe('url-parse', function () {
       });
     });
 
+    it('correctly resolves paths', function () {
+      assume(parse.extractProtocol('/foo')).eql({
+        slashes: false,
+        protocol: '',
+        rest: '/foo'
+      });
+
+      assume(parse.extractProtocol('//foo/bar')).eql({
+        slashes: true,
+        protocol: '',
+        rest: 'foo/bar'
+      });
+    });
+
     it('does not truncate the input string', function () {
       var input = 'foo\nbar\rbaz\u2028qux\u2029';
 
@@ -190,9 +204,10 @@ describe('url-parse', function () {
       , parsed = parse(url);
 
     assume(parsed.port).equals('');
+    assume(parsed.pathname).equals('/');
     assume(parsed.host).equals('example.com');
     assume(parsed.hostname).equals('example.com');
-    assume(parsed.href).equals('http://example.com');
+    assume(parsed.href).equals('http://example.com/');
   });
 
   it('understands an / as pathname', function () {
@@ -208,6 +223,20 @@ describe('url-parse', function () {
     assume(parsed.href).equals('http://example.com/');
   });
 
+  it('correctly parses pathnames for relative paths', function () {
+    var url = '/dataApi/PROD/ws'
+     , parsed = parse(url, 'http://localhost:3000/PROD/trends');
+
+    assume(parsed.pathname).equals('/dataApi/PROD/ws');
+
+    url = '/sections/?project=default'
+    parsed = parse(url, 'http://example.com/foo/bar');
+
+    assume(parsed.pathname).equals('/sections/');
+    assume(parsed.hostname).equals('example.com');
+    assume(parsed.href).equals('http://example.com/sections/?project=default');
+  });
+
   it('does not care about spaces', function () {
     var url = 'http://x.com/path?that\'s#all, folks'
       , parsed = parse(url);
@@ -242,16 +271,30 @@ describe('url-parse', function () {
     assume(parsed.hostname).equals('google.com');
     assume(parsed.hash).equals('#what\\is going on');
 
-    parsed = parse('//\\what-is-up.com');
+    parsed = parse('http://yolo.com\\what-is-up.com');
     assume(parsed.pathname).equals('/what-is-up.com');
   });
 
   it('correctly ignores multiple slashes //', function () {
     var url = '////what-is-up.com'
+      , parsed = parse(url, parse('http://google.com'));
+
+    assume(parsed.host).equals('what-is-up.com');
+    assume(parsed.href).equals('http://what-is-up.com/');
+  });
+
+  it('does not see a slash after the protocol as path', function () {
+    var url = 'https:\\/github.com/foo/bar'
       , parsed = parse(url);
 
-    assume(parsed.host).equals('');
-    assume(parsed.hostname).equals('');
+    assume(parsed.host).equals('github.com');
+    assume(parsed.hostname).equals('github.com');
+    assume(parsed.pathname).equals('/foo/bar');
+
+    url = 'https:/\/\/\github.com/foo/bar';
+    assume(parsed.host).equals('github.com');
+    assume(parsed.hostname).equals('github.com');
+    assume(parsed.pathname).equals('/foo/bar');
   });
 
   describe('origin', function () {
@@ -327,32 +370,52 @@ describe('url-parse', function () {
     it('extracts the right protocol from a url', function () {
       var testData = [
         {
-          href: 'http://example.com',
+          href: 'http://example.com/',
           protocol: 'http:',
-          pathname: ''
+          pathname: '/',
+          slashes: true
+        },
+        {
+          href: 'ws://example.com/',
+          protocol: 'ws:',
+          pathname: '/',
+          slashes: true
+        },
+        {
+          href: 'wss://example.com/',
+          protocol: 'wss:',
+          pathname: '/',
+          slashes: true
         },
         {
           href: 'mailto:test@example.com',
           pathname: 'test@example.com',
-          protocol: 'mailto:'
+          protocol: 'mailto:',
+          slashes: false
         },
         {
           href: 'data:text/html,%3Ch1%3EHello%2C%20World!%3C%2Fh1%3E',
           pathname: 'text/html,%3Ch1%3EHello%2C%20World!%3C%2Fh1%3E',
-          protocol: 'data:'
+          protocol: 'data:',
+          slashes: false,
         },
         {
           href: 'sip:alice@atlanta.com',
           pathname: 'alice@atlanta.com',
-          protocol: 'sip:'
+          protocol: 'sip:',
+          slashes: false,
         }
       ];
 
-      var data;
+      var data, test;
       for (var i = 0, len = testData.length; i < len; ++i) {
-        data = parse(testData[i].href);
-        assume(data.protocol).equals(testData[i].protocol);
-        assume(data.pathname).equals(testData[i].pathname);
+        test = testData[i];
+        data = parse(test.href);
+
+        assume(data.protocol).equals(test.protocol);
+        assume(data.pathname).equals(test.pathname);
+        assume(data.slashes).equals(test.slashes);
+        assume(data.href).equals(test.href);
       }
     });
 
@@ -391,13 +454,14 @@ describe('url-parse', function () {
     });
 
     it('parses ipv6 with auth', function () {
-      var url = 'http://user:password@[3ffe:2a00:100:7031::1]:8080'
+      var url = 'http://user:password@[3ffe:2a00:100:7031::1]:8080/'
         , parsed = parse(url);
 
       assume(parsed.username).equals('user');
       assume(parsed.password).equals('password');
       assume(parsed.host).equals('[3ffe:2a00:100:7031::1]:8080');
       assume(parsed.hostname).equals('[3ffe:2a00:100:7031::1]');
+      assume(parsed.pathname).equals('/');
       assume(parsed.href).equals(url);
     });
 
@@ -467,7 +531,7 @@ describe('url-parse', function () {
 
       assume(data.port).equals('');
       assume(data.host).equals('localhost');
-      assume(data.href).equals('http://localhost');
+      assume(data.href).equals('http://localhost/');
     });
 
     it('inherits port numbers for relative urls', function () {
@@ -516,7 +580,8 @@ describe('url-parse', function () {
     });
 
     it('inherits protocol for relative protocols', function () {
-      var data = parse('//foo.com/foo', parse('http://sub.example.com:808/'));
+      var lolcation = parse('http://sub.example.com:808/')
+        , data = parse('//foo.com/foo', lolcation);
 
       assume(data.port).equals('');
       assume(data.host).equals('foo.com');
@@ -529,13 +594,13 @@ describe('url-parse', function () {
 
       assume(data.port).equals('');
       assume(data.host).equals('localhost');
-      assume(data.href).equals('http://localhost');
+      assume(data.href).equals('http://localhost/');
     });
 
     it('resolves pathname for relative urls', function () {
       var data, i = 0;
       var tests = [
-        ['', 'http://foo.com', ''],
+        ['', 'http://foo.com', '/'],
         ['', 'http://foo.com/', '/'],
         ['', 'http://foo.com/a', '/a'],
         ['a', 'http://foo.com', '/a'],
@@ -722,12 +787,12 @@ describe('url-parse', function () {
       data.set('hash', 'usage');
 
       assume(data.hash).equals('#usage');
-      assume(data.href).equals('http://example.com#usage');
+      assume(data.href).equals('http://example.com/#usage');
 
       data.set('hash', '#license');
 
       assume(data.hash).equals('#license');
-      assume(data.href).equals('http://example.com#license');
+      assume(data.href).equals('http://example.com/#license');
     });
 
     it('updates the port when updating host', function () {