| | |
|---|
| | | /** |
|---|
| | | * The `node:url` module provides utilities for URL resolution and parsing. It can |
|---|
| | | * be accessed using: |
|---|
| | | * |
|---|
| | | * ```js |
|---|
| | | * import url from 'node:url'; |
|---|
| | | * ``` |
|---|
| | | * @see [source](https://github.com/nodejs/node/blob/v25.x/lib/url.js) |
|---|
| | | */ |
|---|
| | | declare module "node:url" { |
|---|
| | | import { Blob, NonSharedBuffer } from "node:buffer"; |
|---|
| | | import { ClientRequestArgs } from "node:http"; |
|---|
| | |
|---|
| | | * new URL('file:///hello world').pathname; // Incorrect: /hello%20world |
|---|
| | | * fileURLToPath('file:///hello world'); // Correct: /hello world (POSIX) |
|---|
| | | * ``` |
|---|
| | | * |
|---|
| | | * **Security Considerations:** |
|---|
| | | * |
|---|
| | | * This function decodes percent-encoded characters, including encoded dot-segments |
|---|
| | | * (`%2e` as `.` and `%2e%2e` as `..`), and then normalizes the resulting path. |
|---|
| | | * This means that encoded directory traversal sequences (such as `%2e%2e`) are |
|---|
| | | * decoded and processed as actual path traversal, even though encoded slashes |
|---|
| | | * (`%2F`, `%5C`) are correctly rejected. |
|---|
| | | * |
|---|
| | | * **Applications must not rely on `fileURLToPath()` alone to prevent directory |
|---|
| | | * traversal attacks.** Always perform explicit path validation and security checks |
|---|
| | | * on the returned path value to ensure it remains within expected boundaries |
|---|
| | | * before using it for file system operations. |
|---|
| | | * @since v10.12.0 |
|---|
| | | * @param url The file URL string or URL object to convert to a path. |
|---|
| | | * @return The fully-resolved platform-specific Node.js file path. |
|---|
| | |
|---|
| | | * representation of the path, a `Buffer` is returned. This conversion is |
|---|
| | | * helpful when the input URL contains percent-encoded segments that are |
|---|
| | | * not valid UTF-8 / Unicode sequences. |
|---|
| | | * |
|---|
| | | * **Security Considerations:** |
|---|
| | | * |
|---|
| | | * This function has the same security considerations as `url.fileURLToPath()`. |
|---|
| | | * It decodes percent-encoded characters, including encoded dot-segments |
|---|
| | | * (`%2e` as `.` and `%2e%2e` as `..`), and normalizes the path. **Applications |
|---|
| | | * must not rely on this function alone to prevent directory traversal attacks.** |
|---|
| | | * Always perform explicit path validation on the returned buffer value before |
|---|
| | | * using it for file system operations. |
|---|
| | | * @since v24.3.0 |
|---|
| | | * @param url The file URL string or URL object to convert to a path. |
|---|
| | | * @returns The fully-resolved platform-specific Node.js file path |
|---|
