cdk-common 2.1.34 → 2.1.35

package/.jsii

@@ -12984,6 +12984,6 @@
       "symbolId": "src/main:LambdaArmFunctionProps"
     }
   },
-  "version": "2.1.34",
-  "fingerprint": "bxGvPWwwiFW3GKNhsAtpY0JPXV7h0YO7m5vqBPxFhvQ="
+  "version": "2.1.35",
+  "fingerprint": "NFDErK/8HKOBmjwZW7YyqvfsSvofOt2FOB5Or/og6Os="
 }

package/lib/main.js

@@ -38,5 +38,5 @@ class LambdaArmFunction extends constructs_1.Construct {
 }
 exports.LambdaArmFunction = LambdaArmFunction;
 _a = JSII_RTTI_SYMBOL_1;
-LambdaArmFunction[_a] = { fqn: "cdk-common.LambdaArmFunction", version: "2.1.34" };
+LambdaArmFunction[_a] = { fqn: "cdk-common.LambdaArmFunction", version: "2.1.35" };
 //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibWFpbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3NyYy9tYWluLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7O0FBQUEsbUNBQW1DO0FBQ25DLGlEQUFpRDtBQUNqRCwyQ0FBdUM7QUFLdkMsTUFBYSxpQkFBa0IsU0FBUSxzQkFBUztJQUU5QyxZQUFZLEtBQWdCLEVBQUUsRUFBVSxFQUFFLEtBQTRCO1FBQ3BFLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFakIsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQXlCO1lBQ3RELENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsbUNBQW1DLENBQUM7WUFDakUsQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRSxtQ0FBbUMsQ0FBQztZQUNqRSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsV0FBVyxFQUFFLG1DQUFtQyxDQUFDO1lBQ2pFLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsa0NBQWtDLENBQUM7WUFDaEUsQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRSxrQ0FBa0MsQ0FBQztZQUNoRSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsV0FBVyxFQUFFLGtDQUFrQyxDQUFDO1lBQ2hFLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsa0NBQWtDLENBQUM7WUFDaEUsQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLE9BQU8sRUFBRSw4QkFBOEIsQ0FBQztZQUN4RCxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsT0FBTyxFQUFFLDhCQUE4QixDQUFDO1lBQ3hELENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxRQUFRLEVBQUUsNkJBQTZCLENBQUM7WUFDeEQsQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLFFBQVEsRUFBRSwrQkFBK0IsQ0FBQztZQUMxRCxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFLCtCQUErQixDQUFDO1NBQzNELENBQUMsQ0FBQztRQUVILE1BQU0sT0FBTyxHQUFHLGVBQWUsQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ25ELElBQUksT0FBTyxFQUFFLENBQUM7WUFDWixHQUFHLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDL0MsQ0FBQzthQUFNLENBQUM7WUFDTixNQUFNLElBQUksS0FBSyxDQUFDLG1CQUFtQixLQUFLLENBQUMsT0FBTyx1R0FBdUcsQ0FBQyxDQUFDO1FBQzNKLENBQUM7UUFFRCxJQUFJLENBQUMsY0FBYyxHQUFHLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsZ0JBQWdCLEVBQUU7WUFDaEUsWUFBWSxFQUFFLEtBQUssQ0FBQyxZQUFZLElBQUksTUFBTSxDQUFDLFlBQVksQ0FBQyxNQUFNO1lBQzlELEdBQUcsS0FBSztTQUNULENBQUMsQ0FBQztJQUNMLENBQUM7O0FBL0JILDhDQWdDQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGNkayBmcm9tICdhd3MtY2RrLWxpYic7XG5pbXBvcnQgKiBhcyBsYW1iZGEgZnJvbSAnYXdzLWNkay1saWIvYXdzLWxhbWJkYSc7XG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tICdjb25zdHJ1Y3RzJztcbmV4cG9ydCBpbnRlcmZhY2UgTGFtYmRhQXJtRnVuY3Rpb25Qcm9wcyBleHRlbmRzIGxhbWJkYS5GdW5jdGlvblByb3BzIHtcblxufVxuXG5leHBvcnQgY2xhc3MgTGFtYmRhQXJtRnVuY3Rpb24gZXh0ZW5kcyBDb25zdHJ1Y3Qge1xuICBwdWJsaWMgcmVhZG9ubHkgbGFtYmRhRnVuY3Rpb246IGxhbWJkYS5GdW5jdGlvbjtcbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6TGFtYmRhQXJtRnVuY3Rpb25Qcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICBjb25zdCBydW50aW1lV2FybmluZ3MgPSBuZXcgTWFwPGxhbWJkYS5SdW50aW1lLCBzdHJpbmc+KFtcbiAgICAgIFtsYW1iZGEuUnVudGltZS5OT0RFSlNfMjJfWCwgJ1lvdSBhcmUgdXNpbmcgTm9kZS5qcyAyMi54IGF0IEFSTSddLFxuICAgICAgW2xhbWJkYS5SdW50aW1lLk5PREVKU18yMF9YLCAnWW91IGFyZSB1c2luZyBOb2RlLmpzIDIwLnggYXQgQVJNJ10sXG4gICAgICBbbGFtYmRhLlJ1bnRpbWUuTk9ERUpTXzE4X1gsICdZb3UgYXJlIHVzaW5nIE5vZGUuanMgMTgueCBhdCBBUk0nXSxcbiAgICAgIFtsYW1iZGEuUnVudGltZS5QWVRIT05fM18xMywgJ1lvdSBhcmUgdXNpbmcgUHl0aG9uIDMuMTMgYXQgQVJNJ10sXG4gICAgICBbbGFtYmRhLlJ1bnRpbWUuUFlUSE9OXzNfMTIsICdZb3UgYXJlIHVzaW5nIFB5dGhvbiAzLjEyIGF0IEFSTSddLFxuICAgICAgW2xhbWJkYS5SdW50aW1lLlBZVEhPTl8zXzExLCAnWW91IGFyZSB1c2luZyBQeXRob24gMy4xMSBhdCBBUk0nXSxcbiAgICAgIFtsYW1iZGEuUnVudGltZS5QWVRIT05fM18xMCwgJ1lvdSBhcmUgdXNpbmcgUHl0aG9uIDMuMTAgYXQgQVJNJ10sXG4gICAgICBbbGFtYmRhLlJ1bnRpbWUuSkFWQV8yMSwgJ1lvdSBhcmUgdXNpbmcgSmF2YSAyMSBhdCBBUk0nXSxcbiAgICAgIFtsYW1iZGEuUnVudGltZS5KQVZBXzE3LCAnWW91IGFyZSB1c2luZyBKYXZhIDE3IGF0IEFSTSddLFxuICAgICAgW2xhbWJkYS5SdW50aW1lLkRPVE5FVF84LCAnWW91IGFyZSB1c2luZyAuTkVUIDggYXQgQVJNJ10sXG4gICAgICBbbGFtYmRhLlJ1bnRpbWUuUlVCWV8zXzQsICdZb3UgYXJlIHVzaW5nIFJ1YnkgMy40IGF0IEFSTSddLFxuICAgICAgW2xhbWJkYS5SdW50aW1lLlJVQllfM18zLCAnWW91IGFyZSB1c2luZyBSdWJ5IDMuMyBhdCBBUk0nXSxcbiAgICBdKTtcblxuICAgIGNvbnN0IHdhcm5pbmcgPSBydW50aW1lV2FybmluZ3MuZ2V0KHByb3BzLnJ1bnRpbWUpO1xuICAgIGlmICh3YXJuaW5nKSB7XG4gICAgICBjZGsuQW5ub3RhdGlvbnMub2YodGhpcykuYWRkV2FybmluZyh3YXJuaW5nKTtcbiAgICB9IGVsc2Uge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKGBJbnZhbGlkIFJ1bnRpbWUgJHtwcm9wcy5ydW50aW1lfSBhdCBBUk0sIFNlZSBodHRwczovL2RvY3MuYXdzLmFtYXpvbi5jb20vbGFtYmRhL2xhdGVzdC9kZy9mb3VuZGF0aW9uLWFyY2guaHRtbD9pY21waWQ9ZG9jc19sYW1iZGFfcnNzYCk7XG4gICAgfVxuXG4gICAgdGhpcy5sYW1iZGFGdW5jdGlvbiA9IG5ldyBsYW1iZGEuRnVuY3Rpb24odGhpcywgJ0xhbWJkYUZ1bmN0aW9uJywge1xuICAgICAgYXJjaGl0ZWN0dXJlOiBwcm9wcy5hcmNoaXRlY3R1cmUgPz8gbGFtYmRhLkFyY2hpdGVjdHVyZS5BUk1fNjQsXG4gICAgICAuLi5wcm9wcyxcbiAgICB9KTtcbiAgfVxufVxuIl19

package/node_modules/fast-uri/README.md

@@ -12,6 +12,8 @@ Dependency-free RFC 3986 URI toolbox.
 
 All of the above functions can accept an additional options argument that is an object that can contain one or more of the following properties:
 
+Malformed authorities and out-of-range ports are reported through the parsed component's `error` field. `normalize()` leaves malformed string inputs unchanged, and `equal()` returns `false` when either string input is malformed.
+
 *	`scheme` (string)
 	Indicates the scheme that the URI should be treated as, overriding the URI's normal scheme parsing behavior.
 

package/node_modules/fast-uri/index.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizePercentEncoding, normalizePathEncoding, escapePreservingEscapes, isIPv4, nonSimpleDomain } = require('./lib/utils')
+const { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizePercentEncoding, normalizePathEncoding, escapePreservingEscapes, reescapeHostDelimiters, isIPv4, nonSimpleDomain } = require('./lib/utils')
 const { SCHEMES, getSchemeHandler } = require('./lib/schemes')
 
 /**
@@ -11,7 +11,7 @@ const { SCHEMES, getSchemeHandler } = require('./lib/schemes')
  */
 function normalize (uri, options) {
   if (typeof uri === 'string') {
-    uri = /** @type {T} */ (serialize(parse(uri, options), options))
+    uri = /** @type {T} */ (normalizeString(uri, options))
   } else if (typeof uri === 'object') {
     uri = /** @type {T} */ (parse(serialize(uri, options), options))
   }
@@ -106,19 +106,10 @@ function resolveComponent (base, relative, options, skipNormalization) {
  * @returns {boolean}
  */
 function equal (uriA, uriB, options) {
-  if (typeof uriA === 'string') {
-    uriA = serialize(parse(uriA, options), options)
-  } else if (typeof uriA === 'object') {
-    uriA = serialize(uriA, options)
-  }
-
-  if (typeof uriB === 'string') {
-    uriB = serialize(parse(uriB, options), options)
-  } else if (typeof uriB === 'object') {
-    uriB = serialize(uriB, options)
-  }
+  const normalizedA = normalizeComparableURI(uriA, options)
+  const normalizedB = normalizeComparableURI(uriB, options)
 
-  return uriA.toLowerCase() === uriB.toLowerCase()
+  return normalizedA !== undefined && normalizedB !== undefined && normalizedA.toLowerCase() === normalizedB.toLowerCase()
 }
 
 /**
@@ -211,12 +202,29 @@ function serialize (cmpts, opts) {
 
 const URI_PARSE = /^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u
 
+/**
+ * @param {import('./types/index').URIComponent} parsed
+ * @param {RegExpMatchArray} matches
+ * @returns {string|undefined}
+ */
+function getParseError (parsed, matches) {
+  if (matches[2] !== undefined && parsed.path && parsed.path[0] !== '/') {
+    return 'URI path must start with "/" when authority is present.'
+  }
+
+  if (typeof parsed.port === 'number' && (parsed.port < 0 || parsed.port > 65535)) {
+    return 'URI port is malformed.'
+  }
+
+  return undefined
+}
+
 /**
  * @param {string} uri
  * @param {import('./types/index').Options} [opts]
- * @returns
+ * @returns {{ parsed: import('./types/index').URIComponent, malformedAuthorityOrPort: boolean }}
  */
-function parse (uri, opts) {
+function parseWithStatus (uri, opts) {
   const options = Object.assign({}, opts)
   /** @type {import('./types/index').URIComponent} */
   const parsed = {
@@ -229,6 +237,8 @@ function parse (uri, opts) {
     fragment: undefined
   }
 
+  let malformedAuthorityOrPort = false
+
   let isIP = false
   if (options.reference === 'suffix') {
     if (options.scheme) {
@@ -254,6 +264,13 @@ function parse (uri, opts) {
     if (isNaN(parsed.port)) {
       parsed.port = matches[5]
     }
+
+    const parseError = getParseError(parsed, matches)
+    if (parseError !== undefined) {
+      parsed.error = parsed.error || parseError
+      malformedAuthorityOrPort = true
+    }
+
     if (parsed.host) {
       const ipv4result = isIPv4(parsed.host)
       if (ipv4result === false) {
@@ -302,14 +319,18 @@ function parse (uri, opts) {
           parsed.scheme = unescape(parsed.scheme)
         }
         if (parsed.host !== undefined) {
-          parsed.host = unescape(parsed.host)
+          parsed.host = reescapeHostDelimiters(unescape(parsed.host), isIP)
         }
       }
       if (parsed.path) {
         parsed.path = normalizePathEncoding(parsed.path)
       }
       if (parsed.fragment) {
-        parsed.fragment = encodeURI(decodeURIComponent(parsed.fragment))
+        try {
+          parsed.fragment = encodeURI(decodeURIComponent(parsed.fragment))
+        } catch {
+          parsed.error = parsed.error || 'URI malformed'
+        }
       }
     }
 
@@ -320,7 +341,54 @@ function parse (uri, opts) {
   } else {
     parsed.error = parsed.error || 'URI can not be parsed.'
   }
-  return parsed
+  return { parsed, malformedAuthorityOrPort }
+}
+
+/**
+ * @param {string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns
+ */
+function parse (uri, opts) {
+  return parseWithStatus(uri, opts).parsed
+}
+
+/**
+ * @param {string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns {string}
+ */
+function normalizeString (uri, opts) {
+  return normalizeStringWithStatus(uri, opts).normalized
+}
+
+/**
+ * @param {string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns {{ normalized: string, malformedAuthorityOrPort: boolean }}
+ */
+function normalizeStringWithStatus (uri, opts) {
+  const { parsed, malformedAuthorityOrPort } = parseWithStatus(uri, opts)
+  return {
+    normalized: malformedAuthorityOrPort ? uri : serialize(parsed, opts),
+    malformedAuthorityOrPort
+  }
+}
+
+/**
+ * @param {import ('./types/index').URIComponent|string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns {string|undefined}
+ */
+function normalizeComparableURI (uri, opts) {
+  if (typeof uri === 'string') {
+    const { normalized, malformedAuthorityOrPort } = normalizeStringWithStatus(uri, opts)
+    return malformedAuthorityOrPort ? undefined : normalized
+  }
+
+  if (typeof uri === 'object') {
+    return serialize(uri, opts)
+  }
 }
 
 const fastUri = {

package/node_modules/fast-uri/lib/utils.js

@@ -272,6 +272,26 @@ function removeDotSegments (path) {
   return output.join('')
 }
 
+/**
+ * Re-escape RFC 3986 gen-delims that must not appear literally in the host.
+ * After the URI regex parses, these characters cannot be literal in the host
+ * field, so any that appear after decoding came from percent-encoding and
+ * must be restored to prevent authority structure changes.
+ *
+ * @param {string} host
+ * @param {boolean} isIP - true for IPv4/IPv6 hosts (skip colon re-escaping)
+ * @returns {string}
+ */
+const HOST_DELIMS = { '@': '%40', '/': '%2F', '?': '%3F', '#': '%23', ':': '%3A' }
+const HOST_DELIM_RE = /[@/?#:]/g
+const HOST_DELIM_NO_COLON_RE = /[@/?#]/g
+
+function reescapeHostDelimiters (host, isIP) {
+  const re = isIP ? HOST_DELIM_NO_COLON_RE : HOST_DELIM_RE
+  re.lastIndex = 0
+  return host.replace(re, (ch) => HOST_DELIMS[ch])
+}
+
 /**
  * Normalizes percent escapes and optionally decodes only unreserved ASCII bytes.
  * Reserved delimiters such as `%2F` and `%2E` stay escaped.
@@ -394,7 +414,7 @@ function recomposeAuthority (component) {
       if (ipV6res.isIPV6 === true) {
         host = `[${ipV6res.escapedHost}]`
       } else {
-        host = component.host
+        host = reescapeHostDelimiters(host, false)
       }
     }
     uriTokens.push(host)
@@ -411,6 +431,7 @@ function recomposeAuthority (component) {
 module.exports = {
   nonSimpleDomain,
   recomposeAuthority,
+  reescapeHostDelimiters,
   normalizePercentEncoding,
   normalizePathEncoding,
   escapePreservingEscapes,

package/node_modules/fast-uri/package.json

@@ -1,7 +1,7 @@
 {
   "name": "fast-uri",
   "description": "Dependency-free RFC 3986 URI toolbox",
-  "version": "3.1.1",
+  "version": "3.1.2",
   "main": "index.js",
   "type": "commonjs",
   "types": "types/index.d.ts",

package/node_modules/fast-uri/test/equal.test.js

@@ -106,3 +106,12 @@ test('WSS Equal', (t) => {
   runTest(t, suite)
   t.end()
 })
+
+test('URI Equals tolerates malformed fragments', (t) => {
+  t.equal(
+    fastURI.equal('http://example.com/#%E0%A4A', 'http://example.com/#%E0%A4A'),
+    true,
+    'malformed fragment does not throw during equality checks'
+  )
+  t.end()
+})

package/node_modules/fast-uri/test/parse.test.js

@@ -150,6 +150,11 @@ test('URI parse', (t) => {
   t.equal(components.query, undefined, 'query')
   t.equal(components.fragment, '%0D', 'fragment')
 
+  // malformed percent-encoded fragment must not throw
+  components = fastURI.parse('http://example.com/#%E0%A4A')
+  t.equal(components.error, 'URI malformed', 'malformed fragment errors')
+  t.equal(components.fragment, '%E0%A4A', 'malformed fragment is preserved')
+
   // all
   components = fastURI.parse('uri://user:pass@example.com:123/one/two.three?q1=a1&q2=a2#body')
   t.equal(components.error, undefined, 'all errors')

package/node_modules/fast-uri/test/resolve.test.js

@@ -76,3 +76,12 @@ test('URN Resolving', (t) => {
   t.equal(fastURI.resolve('urn:some:other:prop', 'urn:some:ip:prop'), 'urn:some:ip:prop', 'urn:some:ip:prop')
   t.end()
 })
+
+test('URI Resolving tolerates malformed fragments', (t) => {
+  t.equal(
+    fastURI.resolve('http://base.com/', 'http://example.com/#%E0%A4A'),
+    'http://example.com/#%E0%A4A',
+    'malformed fragment does not throw during resolve'
+  )
+  t.end()
+})

package/node_modules/fast-uri/test/security.test.js

@@ -0,0 +1,133 @@
+'use strict'
+
+const test = require('tape')
+const fastURI = require('..')
+
+test('parse marks malformed authority and port inputs as errors', (t) => {
+  const malformedCases = [
+    {
+      input: 'http://[::1]foo',
+      expectedError: 'URI path must start with "/" when authority is present.'
+    },
+    {
+      input: 'http://[::1]:80abc/path',
+      expectedError: 'URI path must start with "/" when authority is present.'
+    },
+    {
+      input: 'http://example.com:80abc/path',
+      expectedError: 'URI path must start with "/" when authority is present.'
+    },
+    {
+      input: 'http://[::1]:65536',
+      expectedError: 'URI port is malformed.'
+    }
+  ]
+
+  t.plan(malformedCases.length)
+
+  malformedCases.forEach(({ input, expectedError }) => {
+    t.equal(fastURI.parse(input).error, expectedError, input)
+  })
+})
+
+test('normalize does not canonicalize malformed URLs into different valid URLs', (t) => {
+  const malformedCases = [
+    'http://[::1]foo',
+    'http://[::1]:80abc/path',
+    'http://example.com:80abc/path',
+    'http://[::1]:65536'
+  ]
+
+  t.plan(malformedCases.length)
+
+  malformedCases.forEach((input) => {
+    t.equal(fastURI.normalize(input), input, input)
+  })
+})
+
+test('equal returns false when either side is malformed', (t) => {
+  const malformedPairs = [
+    ['http://[::1]foo', 'http://[::1]/foo'],
+    ['http://[::1]:80abc/path', 'http://[::1]/abc/path'],
+    ['http://example.com:80abc/path', 'http://example.com/abc/path'],
+    ['http://[::1]:65536', 'http://[::1]:65536/']
+  ]
+
+  t.plan(malformedPairs.length)
+
+  malformedPairs.forEach(([left, right]) => {
+    t.equal(fastURI.equal(left, right), false, `${left} != ${right}`)
+  })
+})
+
+test('normalize preserves encoded authority delimiters in host', (t) => {
+  const cases = [
+    ['http://trusted.com%40evil.com/', 'http://trusted.com%40evil.com/'],
+    ['http://example.com%3A8080/', 'http://example.com%3A8080/'],
+    ['http://example.com%2Fevil.com/path', 'http://example.com%2Fevil.com/path'],
+    ['http://example.com%23fragment/path', 'http://example.com%23fragment/path'],
+    ['http://example.com%3Fq=evil/path', 'http://example.com%3Fq=evil/path'],
+    ['http://user%3Apass%40evil.com/', 'http://user%3Apass%40evil.com/'],
+    ['http://user@trusted.com%40evil.com/', 'http://user@trusted.com%40evil.com/'],
+    ['https://trusted.com%40evil.com/', 'https://trusted.com%40evil.com/'],
+    ['ws://trusted.com%40evil.com/chat', 'ws://trusted.com%40evil.com/chat'],
+    ['wss://trusted.com%40evil.com/chat', 'wss://trusted.com%40evil.com/chat']
+  ]
+
+  t.plan(cases.length)
+
+  cases.forEach(([input, expected]) => {
+    t.equal(fastURI.normalize(input), expected, input)
+  })
+})
+
+test('parse preserves encoded authority delimiters in host', (t) => {
+  const cases = [
+    ['http://trusted.com%40evil.com/', 'trusted.com%40evil.com'],
+    ['http://example.com%3A8080/', 'example.com%3A8080'],
+    ['http://user%3Apass%40evil.com/', 'user%3Apass%40evil.com']
+  ]
+
+  t.plan(cases.length)
+
+  cases.forEach(([input, expectedHost]) => {
+    t.equal(fastURI.parse(input).host, expectedHost, input)
+  })
+})
+
+test('equal returns false when encoded delimiters differ from live delimiters', (t) => {
+  const pairs = [
+    ['http://trusted.com%40evil.com/', 'http://trusted.com@evil.com/'],
+    ['http://example.com%3A8080/', 'http://example.com:8080/']
+  ]
+
+  t.plan(pairs.length)
+
+  pairs.forEach(([left, right]) => {
+    t.equal(fastURI.equal(left, right, {}), false, `${left} != ${right}`)
+  })
+})
+
+test('resolve preserves encoded authority delimiters', (t) => {
+  const result = fastURI.resolve('http://base.com/', '//trusted.com%40evil.com/path')
+  const parsed = fastURI.parse(result)
+
+  t.plan(1)
+  t.notEqual(parsed.host, 'evil.com', '//trusted.com%40evil.com/path')
+})
+
+test('serialize escapes authority delimiters in host field', (t) => {
+  const result = fastURI.serialize({ scheme: 'http', host: 'trusted.com@evil.com', path: '/' })
+  const parsed = fastURI.parse(result)
+
+  t.plan(1)
+  t.notEqual(parsed.host, 'evil.com', 'host: trusted.com@evil.com')
+})
+
+test('normalize does not double-decode %2540 into a live @', (t) => {
+  const result = fastURI.normalize('http://trusted.com%2540evil.com/')
+  const parsed = fastURI.parse(result)
+
+  t.plan(1)
+  t.notEqual(parsed.host, 'trusted.com@evil.com', 'http://trusted.com%2540evil.com/')
+})

package/package.json

@@ -88,7 +88,7 @@
     "access": "public",
     "provenance": true
   },
-  "version": "2.1.34",
+  "version": "2.1.35",
   "jest": {
     "coverageProvider": "v8",
     "testMatch": [