Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

decodeURIComponent after parsing URL for initial connection #1384

Closed
kwanhs opened this issue Sep 12, 2021 · 8 comments · Fixed by #2277
Closed

decodeURIComponent after parsing URL for initial connection #1384

kwanhs opened this issue Sep 12, 2021 · 8 comments · Fixed by #2277

Comments

@kwanhs
Copy link

kwanhs commented Sep 12, 2021

It appears the URL package is not decoding some special characters correctly. In my case, it was @ sign used in the password.
Regardless of whether @ or %40 (its encoded counterpart) is used, the attributes obtained from parsed URL is still %40.

@sidorares
Copy link
Owner

sidorares commented Sep 12, 2021

which version are you using? I'd expect this issue would be fixed by #1360

Can you double check the version you have is v2.3.0?

@kwanhs
Copy link
Author

kwanhs commented Sep 12, 2021

Thanks for your quick response! From my package.json: "mysql2": "^2.3.0"

@sidorares
Copy link
Owner

can you clarify the attributes obtained from parsed URL is still %40 part? Are you able to connect using url where password is urlencoded?

@kwanhs
Copy link
Author

kwanhs commented Sep 12, 2021

It was the password that remained url-encoded

@sidorares
Copy link
Owner

@acdibble should this line be password: unescape(parsedUrl.password) or something similar?

@acdibble
Copy link
Contributor

We might have to pass both username and password to decodeURIComponent. However, if a password or username contains % and it is not properly escaped before building the URL, decodeURIComponent will throw an error, e.g.:

> password = 'pass!@$%^&*+()\\word:'
'pass!@$%^&*+()\\word:'
> conn = new URL(`test://user:${password}@www.example.com/path`)
URL {
  href: 'test://user:pass!%40$%%5E&*+()%5Cword%3A@www.example.com/path',
  origin: 'null',
  protocol: 'test:',
  username: 'user',
  password: 'pass!%40$%%5E&*+()%5Cword%3A',
  host: 'www.example.com',
  hostname: 'www.example.com',
  port: '',
  pathname: '/path',
  search: '',
  searchParams: URLSearchParams {},
  hash: ''
}
> decodeURIComponent(conn.password)
Uncaught URIError: URI malformed
    at decodeURIComponent (<anonymous>)
> conn = new URL(`test://user:${encodeURIComponent(password)}@www.example.com/path`)
URL {
  href: 'test://user:pass!%40%24%25%5E%26*%2B()%5Cword%3A@www.example.com/path',
  origin: 'null',
  protocol: 'test:',
  username: 'user',
  password: 'pass!%40%24%25%5E%26*%2B()%5Cword%3A',
  host: 'www.example.com',
  hostname: 'www.example.com',
  port: '',
  pathname: '/path',
  search: '',
  searchParams: URLSearchParams {},
  hash: ''
}
> decodeURIComponent(conn.password)
'pass!@$%^&*+()\\word:'

So possible errors would have to be handled here and properly reported to the users, or we could try/catch and use unescape or fallback to the raw password.

I can open a PR to fix it when we determine which solution we want to use.

@sidorares
Copy link
Owner

can we just use unescape straight away instead of having initial try using decodeURIComponent?

@sidorares
Copy link
Owner

(it's not just %, I think & in the password also triggers URI malformed ... error )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants