Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The valid-url npm package provides utilities for URL validation and parsing. It allows developers to check if a given string is a valid URL and to parse URLs into their components.
URL Validation
This feature allows you to check if a string is a valid URL. The `isUri` method returns the URL if it's valid, otherwise undefined. It's useful for validating URLs before attempting to make HTTP requests or storing them in a database.
"use strict";\nconst validUrl = require('valid-url');\n\nif (validUrl.isUri('http://www.google.com')){\n console.log('Looks like an URI');\n} else {\n console.log('Not a URI');\n}"
URL Parsing
While the primary focus of valid-url is validation, the returned valid URI string from `isUri` can be further parsed using other libraries or custom code to extract components like protocol, host, path, and query parameters. This example demonstrates basic usage for validation, hinting at further parsing possibilities.
"use strict";\nconst validUrl = require('valid-url');\n\nlet uri = validUrl.isUri('http://www.example.com/path?name=query');\nif (uri){\n console.log('URI is', uri);\n // Additional parsing logic here\n} else {\n console.log('Not a URI');\n}"
Validator is a library that offers a wide range of string validation and sanitization methods, including URL validation. Compared to valid-url, validator provides a broader set of functionalities beyond URLs, making it suitable for more comprehensive input validation needs.
url-regex is a package specifically designed to provide regular expressions for URL validation. Unlike valid-url, which offers simple validation checks, url-regex allows for more customizable and potentially stricter URL validation based on regex patterns.
Common url validation methods
var validUrl = require('valid-url');
if (validUrl.isUri(suspect)){
console.log('Looks like an URI');
} else {
console.log('Not a URI');
}
Replicates the functionality of Richard Sonnen sonnen@richardsonnen.com perl module : http://search.cpan.org/~sonnen/Data-Validate-URI-0.01/lib/Data/Validate/URI.pm full code here into a nodejs module. Translated practically line by line from perl. It passes all the original tests.
(copied from original perl module)
This module collects common URI validation routines to make input validation, and untainting easier and more readable. All functions return an untainted value if the test passes, and undef if it fails. This means that you should always check for a defined status explicitly. Don't assume the return will be true. The value to test is always the first (and often only) argument. There are a number of other URI validation modules out there as well (see below.) This one focuses on being fast, lightweight, and relatively 'real-world'. i.e. it's good if you want to check user input, and don't need to parse out the URI/URL into chunks. Right now the module focuses on HTTP URIs, since they're arguably the most common. If you have a specialized scheme you'd like to have supported, let me know.
npm install valid-url
/*
* @Function isUri(value)
*
* @Synopsis is the value a well-formed uri?
* @Description
Returns the untainted URI if the test value appears to be well-formed. Note that
you may really want one of the more practical methods like is_http_uri or is_https_uri,
since the URI standard (RFC 3986) allows a lot of things you probably don't want.
* @Arguments
* value The potential URI to test.
*
* @Returns The untainted RFC 3986 URI on success, undefined on failure.
* @Notes
This function does not make any attempt to check whether the URI is accessible
or 'makes sense' in any meaningful way. It just checks that it is formatted
correctly.
*
*/
/*
* @Function isHttpUri(value)
* @Synopsis is the value a well-formed HTTP uri?
* @Description
Specialized version of isUri() that only likes http:// urls. As a result, it can
also do a much more thorough job validating. Also, unlike isUri() it is more
concerned with only allowing real-world URIs through. Things like relative
hostnames are allowed by the standards, but probably aren't wise. Conversely,
null paths aren't allowed per RFC 2616 (should be '/' instead), but are allowed
by this function.
This function only works for fully-qualified URIs. /bob.html won't work.
See RFC 3986 for the appropriate method to turn a relative URI into an absolute
one given its context.
Returns the untainted URI if the test value appears to be well-formed.
Note that you probably want to either call this in combo with is_https_uri(). i.e.
if(isHttpUri(uri) || isHttpsUri(uri)) console.log('Good');
or use the convenience method isWebUri which is equivalent.
* @Arguments
* value The potential URI to test.
*
* @Returns The untainted RFC 3986 URI on success, undefined on failure.
* @Notes
This function does not make any attempt to check whether the URI is accessible
or 'makes sense' in any meaningful way. It just checks that it is formatted
correctly.
*/
/*
* @Function isHttpsUri(value)
* @Synopsis is the value a well-formed HTTPS uri?
* @Description
See is_http_uri() for details. This version only likes the https URI scheme.
Otherwise it's identical to is_http_uri()
* @Arguments
* value The potential URI to test.
*
* @Returns The untainted RFC 3986 URI on success, undefined on failure.
* @Notes
This function does not make any attempt to check whether the URI is accessible
or 'makes sense' in any meaningful way. It just checks that it is formatted
correctly.
*/
/*
* @Function isWebUri(value)
* @Synopsis is the value a well-formed HTTP or HTTPS uri?
* @Description
This is just a convenience method that combines isHttpUri and isHttpsUri
to accept most common real-world URLs.
* @Arguments
* value The potential URI to test.
*
* @Returns The untainted RFC 3986 URI on success, undefined on failure.
* @Notes
This function does not make any attempt to check whether the URI is accessible
or 'makes sense' in any meaningful way. It just checks that it is formatted
correctly.
*/
RFC 3986, RFC 3966, RFC 4694, RFC 4759, RFC 4904
FAQs
URI validation functions
The npm package valid-url receives a total of 1,993,771 weekly downloads. As such, valid-url popularity was classified as popular.
We found that valid-url demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.