Allow URLs to have a userinfo section with only a username

The 'userinfo' part of a URL may, according to RFC 1738, contain only a username followed by an '@' sign. The previous behavior of the isURL() function would return false if the userinfo section did not have a colon. In addition to the change in the function, tests have been added to ensure the following exmaples are considered valid: - http://[email protected] - http://user:@example.com - http://user:[email protected] The following are considered not valid: - http://@example.com - http://:@example.com - http://:example.com As a practical example, Sentry (https://github.com/getsentry/sentry) uses a format like http://[email protected]/10 for it's DSNs (which are just URLs).
validatorjs · Apr 12, 2021 · 983cc43 · 983cc43
1 parent be5bef4
commit 983cc43
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/src/lib/isURL.js b/src/lib/isURL.js
@@ -101,8 +101,11 @@ export default function isURL(url, options) {
     if (options.disallow_auth) {
       return false;
     }
+    if (split[0] === '' || split[0].substr(0, 1) === ':') {
+      return false;
+    }
     auth = split.shift();
-    if (auth.indexOf(':') === -1 || (auth.indexOf(':') >= 0 && auth.split(':').length > 2)) {
+    if (auth.indexOf(':') >= 0 && auth.split(':').length > 2) {
       return false;
     }
   }

diff --git a/test/validators.js b/test/validators.js
@@ -350,6 +350,7 @@ describe('Validators', () => {
         'http://www.foobar.com/~foobar',
         'http://user:[email protected]/',
         'http://user:@www.foobar.com/',
+        'http://[email protected]',
         'http://127.0.0.1/',
         'http://10.0.0.0/',
         'http://189.123.14.13/',
@@ -374,7 +375,6 @@ describe('Validators', () => {
         'http://[::FFFF:129.144.52.38]:80/index.html',
         'http://[2010:836B:4179::836B:4179]',
         'http://example.com/example.json#/foo/bar',
-        'http://user:@www.foobar.com',
         'http://1337.com',
       ],
       invalid: [
@@ -405,6 +405,8 @@ describe('Validators', () => {
         'http://lol: @foobar.com/',
         'http://www.foo_bar.com/',
         'http://www.foobar.com/\t',
+        'http://@foobar.com',
+        'http://:@foobar.com',
         'http://\[email protected]/',
         '',
         `http://foobar.com/${new Array(2083).join('f')}`,
@@ -416,7 +418,6 @@ describe('Validators', () => {
         '////foobar.com',
         'http:////foobar.com',
         'https://example.com/foo/<script>alert(\'XSS\')</script>/',
-        '[email protected]',
       ],
     });
   });
@@ -668,6 +669,24 @@ describe('Validators', () => {
     });
   });
 
+  it('should accept urls containing authentication information', () => {
+    test({
+      validator: 'isURL',
+      args: [{ disallow_auth: false }],
+      valid: [
+        '[email protected]',
+        'user:@example.com',
+        'user:[email protected]',
+      ],
+      invalid: [
+        'user:user:[email protected]',
+        '@example.com',
+        ':@example.com',
+        ':example.com',
+      ],
+    });
+  });
+
   it('should allow user to skip URL length validation', () => {
     test({
       validator: 'isURL',