Reject domain parts longer than 63 bytes, fixes #787

chriso · chriso · commit bb3e54274141 · 2018-05-03T15:01:29.000+10:00
diff --git a/lib/isFQDN.js b/lib/isFQDN.js
@@ -30,6 +30,11 @@ function isFQDN(str, options) {
     str = str.substring(0, str.length - 1);
   }
   var parts = str.split('.');
+  for (var i = 0; i < parts.length; i++) {
+    if (parts[i].length > 63) {
+      return false;
+    }
+  }
   if (options.require_tld) {
     var tld = parts.pop();
     if (!parts.length || !/^([a-z\u00a1-\uffff]{2,}|xn[a-z0-9-]{2,})$/i.test(tld)) {
@@ -40,8 +45,8 @@ function isFQDN(str, options) {
       return false;
     }
   }
-  for (var part, i = 0; i < parts.length; i++) {
-    part = parts[i];
+  for (var part, _i = 0; _i < parts.length; _i++) {
+    part = parts[_i];
     if (options.allow_underscores) {
       part = part.replace(/_/g, '');
     }
diff --git a/src/lib/isFQDN.js b/src/lib/isFQDN.js
@@ -16,6 +16,11 @@ export default function isFQDN(str, options) {
     str = str.substring(0, str.length - 1);
   }
   const parts = str.split('.');
+  for (let i = 0; i < parts.length; i++) {
+    if (parts[i].length > 63) {
+      return false;
+    }
+  }
   if (options.require_tld) {
     const tld = parts.pop();
     if (!parts.length || !/^([a-z\u00a1-\uffff]{2,}|xn[a-z0-9-]{2,})$/i.test(tld)) {
diff --git a/test/validators.js b/test/validators.js
@@ -57,7 +57,9 @@ describe('Validators', function () {
         '"foobar"@example.com',
         '"  foo  m端ller "@example.com',
         '"foo\\@bar"@example.com',
-        `${repeat('a', 64)}@${repeat('a', 250)}.com`,
+        `${repeat('a', 64)}@${repeat('a', 63)}.com`,
+        `${repeat('a', 64)}@${repeat('a', 63)}.${repeat('a', 63)}.${repeat('a', 63)}.${repeat('a', 58)}.com`,
+        `${repeat('a', 64)}@${repeat('a', 63)}.com`,
       ],
       invalid: [
         'invalidemail@',
@@ -70,6 +72,7 @@ describe('Validators', function () {
         'ｇｍａｉｌｇｍａｉｌｇｍａｉｌｇｍａｉｌｇｍａｉｌ@gmail.com',
         `${repeat('a', 64)}@${repeat('a', 251)}.com`,
         `${repeat('a', 65)}@${repeat('a', 250)}.com`,
+        `${repeat('a', 64)}@${repeat('a', 64)}.com`,
         'test1@invalid.co m',
         'test2@invalid.co m',
         'test3@invalid.co m',
diff --git a/validator.js b/validator.js
@@ -139,6 +139,11 @@ function isFQDN(str, options) {
     str = str.substring(0, str.length - 1);
   }
   var parts = str.split('.');
+  for (var i = 0; i < parts.length; i++) {
+    if (parts[i].length > 63) {
+      return false;
+    }
+  }
   if (options.require_tld) {
     var tld = parts.pop();
     if (!parts.length || !/^([a-z\u00a1-\uffff]{2,}|xn[a-z0-9-]{2,})$/i.test(tld)) {
@@ -149,8 +154,8 @@ function isFQDN(str, options) {
       return false;
     }
   }
-  for (var part, i = 0; i < parts.length; i++) {
-    part = parts[i];
+  for (var part, _i = 0; _i < parts.length; _i++) {
+    part = parts[_i];
     if (options.allow_underscores) {
       part = part.replace(/_/g, '');
     }
diff --git a/validator.min.js b/validator.min.js

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,11 @@ function isFQDN(str, options) {`
`30`	`30`	`str = str.substring(0, str.length - 1);`
`31`	`31`	`}`
`32`	`32`	`var parts = str.split('.');`
	`33`	`+ for (var i = 0; i < parts.length; i++) {`
	`34`	`+ if (parts[i].length > 63) {`
	`35`	`+ return false;`
	`36`	`+ }`
	`37`	`+ }`
`33`	`38`	`if (options.require_tld) {`
`34`	`39`	`var tld = parts.pop();`
`35`	`40`	`if (!parts.length \|\| !/^([a-z\u00a1-\uffff]{2,}\|xn[a-z0-9-]{2,})$/i.test(tld)) {`
`@@ -40,8 +45,8 @@ function isFQDN(str, options) {`
`40`	`45`	`return false;`
`41`	`46`	`}`
`42`	`47`	`}`
`43`		`- for (var part, i = 0; i < parts.length; i++) {`
`44`		`- part = parts[i];`
	`48`	`+ for (var part, _i = 0; _i < parts.length; _i++) {`
	`49`	`+ part = parts[_i];`
`45`	`50`	`if (options.allow_underscores) {`
`46`	`51`	`part = part.replace(/_/g, '');`
`47`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,11 @@ function isFQDN(str, options) {`
`139`	`139`	`str = str.substring(0, str.length - 1);`
`140`	`140`	`}`
`141`	`141`	`var parts = str.split('.');`
	`142`	`+ for (var i = 0; i < parts.length; i++) {`
	`143`	`+ if (parts[i].length > 63) {`
	`144`	`+ return false;`
	`145`	`+ }`
	`146`	`+ }`
`142`	`147`	`if (options.require_tld) {`
`143`	`148`	`var tld = parts.pop();`
`144`	`149`	`if (!parts.length \|\| !/^([a-z\u00a1-\uffff]{2,}\|xn[a-z0-9-]{2,})$/i.test(tld)) {`
`@@ -149,8 +154,8 @@ function isFQDN(str, options) {`
`149`	`154`	`return false;`
`150`	`155`	`}`
`151`	`156`	`}`
`152`		`- for (var part, i = 0; i < parts.length; i++) {`
`153`		`- part = parts[i];`
	`157`	`+ for (var part, _i = 0; _i < parts.length; _i++) {`
	`158`	`+ part = parts[_i];`
`154`	`159`	`if (options.allow_underscores) {`
`155`	`160`	`part = part.replace(/_/g, '');`
`156`	`161`	`}`