Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Do not pass scp-style URLs to the WhatWG url.URL #62

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,25 @@ function parseGitUrl (giturl) {
var matched = giturl.match(/^([^@]+)@([^:/]+):[/]?((?:[^/]+[/])?[^/]+?)(?:[.]git)?(#.*)?$/)
if (!matched) {
var legacy = url.parse(giturl)
if (legacy.auth) {
var whatwg = new url.URL(giturl)
legacy.auth = whatwg.username || ''
if (whatwg.password) legacy.auth += ':' + whatwg.password
// If we don't have url.URL, then sorry, this is just not fixable.
// This affects Node <= 6.12.
if (legacy.auth && typeof url.URL === 'function') {
// git urls can be in the form of scp-style/ssh-connect strings, like
// git+ssh://user@host.com:some/path, which the legacy url parser
// supports, but WhatWG url.URL class does not. However, the legacy
// parser de-urlencodes the username and password, so something like
// https://user%3An%40me:p%40ss%3Aword@x.com/ becomes
// https://user:n@me:p@ss:word@x.com/ which is all kinds of wrong.
// Pull off just the auth and host, so we dont' get the confusing
// scp-style URL, then pass that to the WhatWG parser to get the
// auth properly escaped.
const authmatch = giturl.match(/[^@]+@[^:/]+/)
/* istanbul ignore else - this should be impossible */
if (authmatch) {
var whatwg = new url.URL(authmatch[0])
legacy.auth = whatwg.username || ''
if (whatwg.password) legacy.auth += ':' + whatwg.password
}
}
return legacy
}
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
"scripts": {
"prerelease": "npm t",
"postrelease": "npm publish --tag=ancient-legacy-fixes && git push --follow-tags",
"pretest": "standard",
"posttest": "standard",
"release": "standard-version -s",
"test:coverage": "tap --coverage-report=html -J --100 --no-esm test/*.js",
"test": "tap -J --100 --no-esm test/*.js"
Expand Down
6 changes: 6 additions & 0 deletions test/auth.js
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,9 @@ tap.equal(parsedUrl.hostname, 'github.com')
// For full backwards-compatibility; support auth where only username or only password is provided
tap.equal(HostedGitInfo.fromUrl('https://user%3An%40me@github.com/npm/hosted-git-info.git').auth, 'user%3An%40me')
tap.equal(HostedGitInfo.fromUrl('https://:p%40ss%3Aword@github.com/npm/hosted-git-info.git').auth, ':p%40ss%3Aword')

// don't try to url.URL parse it if url.URL is not available
// ie, node <6.13. This is broken, but at least it doesn't throw.
url.URL = null
var parsedInfo = HostedGitInfo.fromUrl('https://user%3An%40me:p%40ss%3Aword@github.com/npm/xyz.git')
tap.equal(parsedInfo.auth, 'user:n@me:p@ss:word')
2 changes: 2 additions & 0 deletions test/basic.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ test('basic', function (t) {
t.is(HostedGit.fromUrl('github.com/abc/def/'), undefined, 'forgot the protocol')
t.is(HostedGit.fromUrl('completely-invalid'), undefined, 'not a url is not hosted')

t.is(HostedGit.fromUrl('git+ssh://git@git.unlucky.com:RND/electron-tools/some-tool#2.0.1'), undefined, 'properly ignores non-hosted scp style urls')

t.is(HostedGit.fromUrl('http://github.com/foo/bar').toString(), 'git+ssh://git@github.com/foo/bar.git', 'github http protocol use git+ssh urls')
t.end()
})