fix(fasturl, node): normalize pathname if necessary

Author: pi0

src/_url.ts

@@ -7,6 +7,12 @@ export type URLInit = {
   search: string;
 };
 
+// Matches paths that need native URL normalization:
+// - dot segments (. / .. / %2e variants)
+// - backslashes
+// - non-ASCII characters
+const _needsNormRE = /(?:(?:^|\/)(?:\.|\.\.|%2e|%2e\.|\.%2e|%2e%2e)(?:\/|$))|[\\^\x80-\uffff]/i;
+
 /**
  * URL wrapper with fast paths to access to the following props:
  *
@@ -38,6 +44,10 @@ export const FastURL: { new (url: string | URLInit): URL & { _url: URL } } =
       constructor(url: string | URLInit) {
         if (typeof url === "string") {
           this.#href = url;
+        } else if (_needsNormRE.test(url.pathname)) {
+          this.#url = new NativeURL(
+            `${url.protocol || "http:"}//${url.host || "localhost"}${url.pathname}${url.search || ""}`,
+          );
         } else {
           this.#protocol = url.protocol;
           this.#host = url.host;

test/_fixture.ts

@@ -257,6 +257,12 @@ export const fixture: (
             headers: inspect(req.headers),
           });
         }
+        case "/bar/baz": {
+          return Response.json({
+            pathname: url.pathname,
+            url: req.url,
+          });
+        }
       }
       return new _Response("404", { status: 404 });
     },

test/_tests.ts

@@ -1,12 +1,14 @@
 import { describe, expect, test } from "vitest";
 import http from "node:http";
+import http2 from "node:http2";
 
 export function addTests(opts: {
   url: (path: string) => string;
   runtime: string;
   fetch?: typeof globalThis.fetch;
   http2?: boolean;
   fastResponse?: boolean;
+  ca?: string;
 }): void {
   const { url, fetch: _fetch = globalThis.fetch } = opts;
 
@@ -283,6 +285,61 @@ export function addTests(opts: {
     expect(data.includes("x-foo"));
   });
 
+  test("normalize traversal in request path", async () => {
+    const _url = new URL(url("/"));
+
+    let body: string;
+    let statusCode: number | undefined;
+
+    if (opts.http2) {
+      const client = http2.connect(_url.origin, { ca: opts.ca });
+      try {
+        const req = client.request({ ":path": "/foo/../bar/baz", ":authority": "localhost" });
+        const res = await new Promise<{ headers: http2.IncomingHttpHeaders; body: string }>(
+          (resolve, reject) => {
+            let headers: http2.IncomingHttpHeaders;
+            const chunks: Uint8Array[] = [];
+            req.on("response", (h) => {
+              headers = h;
+            });
+            req.on("data", (chunk: Uint8Array) => chunks.push(chunk));
+            req.on("end", () =>
+              resolve({ headers: headers!, body: Buffer.concat(chunks).toString("utf8") }),
+            );
+            req.on("error", reject);
+          },
+        );
+        statusCode = res.headers[":status"] as number | undefined;
+        body = res.body;
+      } finally {
+        client.close();
+      }
+    } else {
+      const res = await new Promise<http.IncomingMessage>((resolve, reject) => {
+        const req = http.request({
+          method: "GET",
+          path: "/foo/../bar/baz",
+          hostname: "localhost",
+          port: _url.port,
+        });
+        req.end();
+        req.on("response", resolve);
+        req.on("error", reject);
+      });
+      statusCode = res.statusCode;
+      body = await new Promise<string>((resolve, reject) => {
+        const chunks: Uint8Array[] = [];
+        res.on("data", (chunk) => chunks.push(chunk));
+        res.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+        res.on("error", reject);
+      });
+    }
+
+    expect(statusCode).toBe(200);
+    const data = JSON.parse(body);
+    expect(data.pathname).toBe("/bar/baz");
+  });
+
   // TODO: Write test to make sure it is forbidden for http2/tls
   test.skipIf(opts.http2)("absolute path in request line", async () => {
     const _url = new URL(url("/"));

test/node.test.ts

@@ -71,6 +71,7 @@ for (const config of testConfigs) {
       http2: config.http2,
       fetch: client.fetch,
       fastResponse: config.fastResponse,
+      ca: tls.ca,
     });
   });
 }

test/url.test.ts

@@ -1,5 +1,6 @@
 import { describe, test, expect } from "vitest";
 import { FastURL } from "../src/_url.ts";
+import { NodeRequestURL } from "../src/adapters/_node/url.ts";
 
 const urlTests = await import("./wpt/url_tests.json", {
   with: { type: "json" },
@@ -123,4 +124,61 @@ describe("FastURL", () => {
       });
     }
   });
+
+  describe("pathname normalization", () => {
+    const cases = [
+      // Literal dot segments
+      ["/foo/../bar/baz", "/bar/baz"],
+      ["/foo/./bar", "/foo/bar"],
+      ["/a/b/../c/../d", "/a/d"],
+      ["/a/b/../../c", "/c"],
+      ["/../a", "/a"],
+      ["/a/..", "/"],
+      ["/a/.", "/a/"],
+      ["/a/b/../c?q=1", "/a/c"],
+      // Percent-encoded dot segments
+      ["/%2e/b", "/b"],
+      ["/%2E/b", "/b"],
+      ["/%2e%2e/b", "/b"],
+      ["/%2E%2E/b", "/b"],
+      ["/a/%2e%2e/b", "/b"],
+      ["/a/%2e./b", "/b"],
+      ["/a/.%2e/b", "/b"],
+      ["/a/.%2E/b", "/b"],
+      ["/a/%2E./b", "/b"],
+      ["/a/%2e", "/a/"],
+      ["/a/%2e%2e", "/"],
+      // Trailing encoded dot produces trailing slash
+      ["/a/b/%2e", "/a/b/"],
+      ["/a/b/%2e%2e", "/a/"],
+      // Mixed
+      ["/a/%2e/../b", "/b"],
+      ["/a/./%2e%2e/b", "/b"],
+      // Backslash normalization
+      ["/a\\b", "/a/b"],
+      ["/a\\b\\c", "/a/b/c"],
+      ["/a\\b/c", "/a/b/c"],
+      // Non-ASCII characters (percent-encoded by native URL)
+      ["/caf\u00e9", "/caf%C3%A9"],
+      ["/\u00fc\u00f6\u00e4", "/%C3%BC%C3%B6%C3%A4"],
+      // Not dot segments (should be untouched)
+      ["/a/b/c", "/a/b/c"],
+      ["/.hidden", "/.hidden"],
+      ["/a/.hidden/b", "/a/.hidden/b"],
+    ] as const;
+
+    for (const [input, expected] of cases) {
+      test(`native URL: "${input}" => "${expected}"`, () => {
+        const url = new URL(`http://localhost${input}`);
+        expect(url.pathname).toBe(expected);
+      });
+
+      test(`NodeRequestURL: "${input}" => "${expected}"`, () => {
+        const url = new NodeRequestURL({
+          req: { url: input, headers: { host: "localhost" } } as any,
+        });
+        expect(url.pathname).toBe(expected);
+      });
+    }
+  });
 });