node-server/src/url.ts at 3537c8a9b65b1ff23fa363f38ab88fad17a36790 · honojs/node-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
import { RequestError } from './error'

const isPathDelimiter = (charCode: number): boolean =>
  charCode === 0x2f || charCode === 0x3f || charCode === 0x23

// `/.`, `/..` (including `%2e` variants, which are handled by `%` detection) are normalized by `new URL()`.
const hasDotSegment = (url: string, dotIndex: number): boolean => {
  const prev = dotIndex === 0 ? 0x2f : url.charCodeAt(dotIndex - 1)
  if (prev !== 0x2f) {
    return false
  }

  const nextIndex = dotIndex + 1
  if (nextIndex === url.length) {
    return true
  }

  const next = url.charCodeAt(nextIndex)
  if (isPathDelimiter(next)) {
    return true
  }
  if (next !== 0x2e) {
    return false
  }

  const nextNextIndex = dotIndex + 2
  if (nextNextIndex === url.length) {
    return true
  }
  return isPathDelimiter(url.charCodeAt(nextNextIndex))
}

const allowedRequestUrlChar = new Uint8Array(128)
for (let c = 0x30; c <= 0x39; c++) {
  allowedRequestUrlChar[c] = 1
}
for (let c = 0x41; c <= 0x5a; c++) {
  allowedRequestUrlChar[c] = 1
}
for (let c = 0x61; c <= 0x7a; c++) {
  allowedRequestUrlChar[c] = 1
}
;(() => {
  // eslint-disable-next-line quotes
  const chars = "-./:?#[]@!$&'()*+,;=~_"
  for (let i = 0; i < chars.length; i++) {
    allowedRequestUrlChar[chars.charCodeAt(i)] = 1
  }
})()

const safeHostChar = new Uint8Array(128)
// 0-9
for (let c = 0x30; c <= 0x39; c++) {
  safeHostChar[c] = 1
}
// a-z
for (let c = 0x61; c <= 0x7a; c++) {
  safeHostChar[c] = 1
}
;(() => {
  const chars = '.-_:'
  for (let i = 0; i < chars.length; i++) {
    safeHostChar[chars.charCodeAt(i)] = 1
  }
})()

export const buildUrl = (scheme: string, host: string, incomingUrl: string) => {
  const url = `${scheme}://${host}${incomingUrl}`

  let needsHostValidationByURL = false
  for (let i = 0, len = host.length; i < len; i++) {
    const c = host.charCodeAt(i)
    if (c > 0x7f || safeHostChar[c] === 0) {
      needsHostValidationByURL = true
      break
    }
    if (c === 0x3a) {
      // ':'
      i++
      const firstDigit = host.charCodeAt(i)

      // if the number starts with 1-9 and ranges from 1000-59999, then there is no need for normalization, so proceed
      if (
        firstDigit < 0x31 ||
        firstDigit > 0x39 ||
        i + 4 > len ||
        i + (firstDigit < 0x36 ? 5 : 4) < len
      ) {
        needsHostValidationByURL = true
        break
      }
      for (; i < len; i++) {
        const c = host.charCodeAt(i)
        if (c < 0x30 || c > 0x39) {
          needsHostValidationByURL = true
          break
        }
      }

      // valid port number
    }
  }

  if (needsHostValidationByURL) {
    const urlObj = new URL(url)

    // if suspicious, check by host. host header sometimes contains port.
    if (
      urlObj.hostname.length !== host.length &&
      urlObj.hostname !== (host.includes(':') ? host.replace(/:\d+$/, '') : host).toLowerCase()
    ) {
      throw new RequestError('Invalid host header')
    }
    return urlObj.href
  } else if (incomingUrl.length === 0) {
    return url + '/'
  } else {
    if (incomingUrl.charCodeAt(0) !== 0x2f) {
      // '/'
      throw new RequestError('Invalid URL')
    }

    for (let i = 1, len = incomingUrl.length; i < len; i++) {
      const c = incomingUrl.charCodeAt(i)
      if (
        c > 0x7f ||
        allowedRequestUrlChar[c] === 0 ||
        (c === 0x2e && hasDotSegment(incomingUrl, i))
      ) {
        return new URL(url).href
      }
    }

    return url
  }
}