Fix username:password@ validation in urls #2080
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR fixes username:password@ validation in URLs by changing how the userinfo component is parsed and adding validation to prevent malicious URL parsing attacks.
Key changes:
- Switch from first @ to last @ when parsing userinfo to handle @ symbols in passwords correctly
- Add userinfo validation to reject invalid characters and malformed constructs
- Add comprehensive test coverage for both valid and invalid userinfo scenarios
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| uri.go | Updates parsing logic to use LastIndexByte and adds validUserinfo validation function |
| uri_test.go | Adds test cases for rejecting invalid userinfo and allowing @ symbols in passwords |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Comment on lines
+362
to
+364
| func validUserinfo(userinfo []byte) bool { | ||
| for _, c := range userinfo { | ||
| switch { |
There was a problem hiding this comment.
The validUserinfo function lacks documentation. Add a comment explaining what characters are considered valid for userinfo according to the RFC specification and any security considerations.
Suggested change
| func validUserinfo(userinfo []byte) bool { | |
| for _, c := range userinfo { | |
| switch { | |
| // validUserinfo checks whether the provided userinfo byte slice contains only valid characters | |
| // as specified by RFC 3986 section 3.2.1. The userinfo component may contain unreserved characters | |
| // (A-Z, a-z, 0-9, '-', '.', '_', '~'), sub-delimiters ('!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '='), | |
| // as well as ':' and '@'. Percent-encoded characters ('%') are also allowed. | |
| // | |
| // Security considerations: Proper validation of userinfo is important to prevent injection attacks | |
| // or misinterpretation of URIs. This function ensures that only valid characters are accepted. | |
| func validUserinfo(userinfo []byte) bool { | |
| for _, c := range userinfo { |
Copilot uses AI. Check for mistakes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.