mocktp 0.0.1-security → 3.15.3

package/src/util/socket-util.ts

@@ -0,0 +1,193 @@
+import * as _ from 'lodash';
+import now = require("performance-now");
+import * as os from 'os';
+import * as net from 'net';
+import * as tls from 'tls';
+import * as http2 from 'http2';
+
+import { isNode } from './util';
+import { OngoingRequest, TlsConnectionEvent } from '../types';
+
+// Test if a local port for a given interface (IPv4/6) is currently in use
+export async function isLocalPortActive(interfaceIp: '::1' | '127.0.0.1', port: number) {
+    if (interfaceIp === '::1' && !isLocalIPv6Available) return false;
+
+    return new Promise((resolve) => {
+        const server = net.createServer();
+        server.listen({
+            host: interfaceIp,
+            port,
+            ipv6Only: interfaceIp === '::1'
+        });
+        server.once('listening', () => {
+            resolve(false);
+            server.close(() => {});
+        });
+        server.once('error', (e) => {
+            resolve(true);
+        });
+    });
+}
+
+// This file imported in browsers etc as it's used in handlers, but none of these methods are used
+// directly. It is useful though to guard sections that immediately perform actions:
+export const isLocalIPv6Available = isNode
+    ? _.some(os.networkInterfaces(),
+        (addresses) => _.some(addresses, a => a.address === '::1')
+    )
+    : true;
+
+// We need to normalize ips for comparison, because the same ip may be reported as ::ffff:127.0.0.1
+// and 127.0.0.1 on the two sides of the connection, for the same ip.
+const normalizeIp = (ip: string | null | undefined) =>
+    (ip && ip.startsWith('::ffff:'))
+        ? ip.slice('::ffff:'.length)
+        : ip;
+
+export const isLocalhostAddress = (host: string | null | undefined) =>
+    !!host && ( // Null/undef are something else weird, but not localhost
+        host === 'localhost' || // Most common
+        host.endsWith('.localhost') ||
+        host === '::1' || // IPv6
+        normalizeIp(host)!.match(/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/) // 127.0.0.0/8 range
+    );
+
+
+// Check whether an incoming socket is the other end of one of our outgoing sockets:
+export const isSocketLoop = (outgoingSockets: net.Socket[] | Set<net.Socket>, incomingSocket: net.Socket) =>
+    // We effectively just compare the address & port: if they match, we've almost certainly got a loop.
+
+    // I don't think it's generally possible to see the same ip on different interfaces from one process (you need
+    // ip-netns network namespaces), but if it is, then there's a tiny chance of false positives here. If we have ip X,
+    // and on another interface somebody else has ip X, and they send a request with the same incoming port as an
+    // outgoing request we have on the other interface, we'll assume it's a loop. Extremely unlikely imo.
+
+    _.some([...outgoingSockets], (outgoingSocket) => {
+        if (!outgoingSocket.localAddress || !outgoingSocket.localPort) {
+            // It's possible for sockets in outgoingSockets to be closed, in which case these properties
+            // will be undefined. If so, we know they're not relevant to loops, so skip entirely.
+            return false;
+        } else {
+            return normalizeIp(outgoingSocket.localAddress) === normalizeIp(incomingSocket.remoteAddress) &&
+                outgoingSocket.localPort === incomingSocket.remotePort;
+        }
+    });
+
+export function getParentSocket(socket: net.Socket) {
+    return socket._parent || // TLS wrapper
+        socket.stream || // SocketWrapper
+        (socket as any)._handle?._parentWrap?.stream; // HTTP/2 CONNECT'd TLS wrapper
+}
+
+const isSocketResetSupported = isNode
+    ? !!net.Socket.prototype.resetAndDestroy
+    : false; // Avoid errors in browsers
+export const requireSocketResetSupport = () => {
+    if (!isSocketResetSupported) {
+        throw new Error(
+            'Connection reset is only supported in Node v16.17+, v18.3.0+, or later'
+        );
+    }
+};
+
+const isHttp2Stream = (maybeStream: any): maybeStream is http2.Http2ServerRequest =>
+    'httpVersion' in maybeStream &&
+    maybeStream.httpVersion?.startsWith('2');
+
+/**
+ * Reset the socket where possible, or at least destroy it where that's not possible.
+ *
+ * This has a few cases for different layers of socket & tunneling, designed to
+ * simulate a real connection reset as closely as possible. That means, in general,
+ * we unwrap the connection as far as possible whilst still only affecting a single
+ * request.
+ *
+ * In practice, we unwrap HTTP/1 & TLS back as far as we can, until we hit either an
+ * HTTP/2 stream or a raw TCP connection. We then either send a RST_FRAME or a TCP RST
+ * to kill that connection.
+ */
+export function resetOrDestroy(requestOrSocket:
+    | net.Socket
+    | OngoingRequest & { socket?: net.Socket }
+    | http2.Http2ServerRequest
+) {
+    let socket: net.Socket | http2.Http2Stream =
+        (isHttp2Stream(requestOrSocket) && requestOrSocket.stream)
+            ? requestOrSocket.stream
+        : ('socket' in requestOrSocket && requestOrSocket.socket)
+            ? requestOrSocket.socket
+        : requestOrSocket as net.Socket;
+
+    while (socket instanceof tls.TLSSocket) {
+        const parent = getParentSocket(socket);
+        if (!parent) break; // Not clear why, but it seems in some cases we run out of parents here
+        socket = parent;
+    }
+
+    if ('rstCode' in socket) {
+        // It's an HTTP/2 stream instance - let's kill it here.
+
+        // If it's the innermost stream, i.e. this is the stream of the request we're
+        // resetting, then we want to send an internal error. If it's a tunneling
+        // stream, then we want to send a CONNECT error:
+        const isOuterSocket = socket === (requestOrSocket as any).stream;
+
+        const errorCode = isOuterSocket
+            ? http2.constants.NGHTTP2_INTERNAL_ERROR
+            : http2.constants.NGHTTP2_CONNECT_ERROR;
+
+        const h2Stream = socket as http2.ServerHttp2Stream;
+        h2Stream.close(errorCode);
+    } else {
+        // Must be a net.Socket then, so we let's reset it for real:
+        if (isSocketResetSupported) {
+            try {
+                socket.resetAndDestroy!();
+            } catch (error) {
+                // This could fail in funky ways if the socket is not just the right kind
+                // of socket. We should still fail in that case, but it's useful to log
+                // some extra data first beforehand, so we can fix this if it ever happens:
+                console.warn(`Failed to reset on socket of type ${
+                    socket.constructor.name
+                } with parent of type ${getParentSocket(socket as any)?.constructor.name}`);
+                throw error;
+            }
+        } else {
+            socket.destroy();
+        }
+    }
+};
+
+export function buildSocketEventData(socket: net.Socket & Partial<tls.TLSSocket>): TlsConnectionEvent {
+    const timingInfo = socket.__timingInfo ||
+        socket._parent?.__timingInfo ||
+        buildSocketTimingInfo();
+
+    // Attached in passThroughMatchingTls TLS sniffing logic in http-combo-server:
+    const tlsMetadata = socket.__tlsMetadata ||
+        socket._parent?.__tlsMetadata ||
+        {};
+
+    return {
+        hostname: socket.servername,
+        // These only work because of oncertcb monkeypatch in http-combo-server:
+        remoteIpAddress: socket.remoteAddress || // Normal case
+            socket._parent?.remoteAddress || // Pre-certCB error, e.g. timeout
+            socket.initialRemoteAddress!, // Recorded by certCB monkeypatch
+        remotePort: socket.remotePort ||
+            socket._parent?.remotePort ||
+            socket.initialRemotePort!,
+        tags: [],
+        timingEvents: {
+            startTime: timingInfo.initialSocket,
+            connectTimestamp: timingInfo.initialSocketTimestamp,
+            tunnelTimestamp: timingInfo.tunnelSetupTimestamp,
+            handshakeTimestamp: timingInfo.tlsConnectedTimestamp
+        },
+        tlsMetadata
+    };
+}
+
+export function buildSocketTimingInfo(): Required<net.Socket>['__timingInfo'] {
+    return { initialSocket: Date.now(), initialSocketTimestamp: now() };
+}

package/src/util/tls.ts

@@ -0,0 +1,348 @@
+import * as _ from 'lodash';
+import * as fs from 'fs/promises';
+import { v4 as uuid } from "uuid";
+import * as forge from 'node-forge';
+
+const { asn1, pki, md, util } = forge;
+
+export type CAOptions = (CertDataOptions | CertPathOptions);
+
+export interface CertDataOptions extends BaseCAOptions {
+    key: string;
+    cert: string;
+};
+
+export interface CertPathOptions extends BaseCAOptions {
+    keyPath: string;
+    certPath: string;
+}
+
+export interface BaseCAOptions {
+    /**
+     * Minimum key length when generating certificates. Defaults to 2048.
+     */
+    keyLength?: number;
+
+    /**
+     * The countryName that will be used in the certificate for incoming TLS
+     * connections.
+     */
+    countryName?: string;
+
+    /**
+     * The localityName that will be used in the certificate for incoming TLS
+     * connections.
+     */
+    localityName?: string;
+
+    /**
+     * The organizationName that will be used in the certificate for incoming TLS
+     * connections.
+     */
+    organizationName?: string;
+}
+
+export type PEM = string | string[] | Buffer | Buffer[];
+
+export type GeneratedCertificate = {
+    key: string,
+    cert: string,
+    ca: string
+};
+
+/**
+ * Generate a CA certificate for mocking HTTPS.
+ *
+ * Returns a promise, for an object with key and cert properties,
+ * containing the generated private key and certificate in PEM format.
+ *
+ * These can be saved to disk, and their paths passed
+ * as HTTPS options to a Mockttp server.
+ */
+export async function generateCACertificate(options: {
+    commonName?: string,
+    organizationName?: string,
+    countryName?: string,
+    bits?: number,
+    nameConstraints?: {
+        permitted?: string[]
+    }
+} = {}) {
+    options = _.defaults({}, options, {
+        commonName: 'Mockttp Testing CA - DO NOT TRUST - TESTING ONLY',
+        organizationName: 'Mockttp',
+        countryName: 'XX', // ISO-3166-1 alpha-2 'unknown country' code
+        bits: 2048,
+    });
+
+    const keyPair = await new Promise<forge.pki.rsa.KeyPair>((resolve, reject) => {
+        pki.rsa.generateKeyPair({ bits: options.bits }, (error, keyPair) => {
+            if (error) reject(error);
+            else resolve(keyPair);
+        });
+    });
+
+    const cert = pki.createCertificate();
+    cert.publicKey = keyPair.publicKey;
+    cert.serialNumber = generateSerialNumber();
+
+    cert.validity.notBefore = new Date();
+    // Make it valid for the last 24h - helps in cases where clocks slightly disagree
+    cert.validity.notBefore.setDate(cert.validity.notBefore.getDate() - 1);
+
+    cert.validity.notAfter = new Date();
+    // Valid for the next year by default.
+    cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 1);
+
+    cert.setSubject([
+        // All of these are required for a fully valid CA cert that will be accepted when imported anywhere:
+        { name: 'commonName', value: options.commonName },
+        { name: 'countryName', value: options.countryName },
+        { name: 'organizationName', value: options.organizationName }
+    ]);
+
+    const extensions: any[] = [
+        { name: 'basicConstraints', cA: true, critical: true },
+        { name: 'keyUsage', keyCertSign: true, digitalSignature: true, nonRepudiation: true, cRLSign: true, critical: true },
+        { name: 'subjectKeyIdentifier' },
+    ];
+    const permittedDomains = options.nameConstraints?.permitted || [];
+    if(permittedDomains.length > 0) {
+        extensions.push({
+            critical: true,
+            id: '2.5.29.30',
+            name: 'nameConstraints',
+            value: generateNameConstraints({
+              permitted: permittedDomains,
+            }),
+        })
+    }
+    cert.setExtensions(extensions);
+
+    // Self-issued too
+    cert.setIssuer(cert.subject.attributes);
+
+    // Self-sign the certificate - we're the root
+    cert.sign(keyPair.privateKey, md.sha256.create());
+
+    return {
+        key: pki.privateKeyToPem(keyPair.privateKey),
+        cert: pki.certificateToPem(cert)
+    };
+}
+
+
+type GenerateNameConstraintsInput = {
+    /**
+     * Array of permitted domains
+     */
+    permitted?: string[];
+};
+
+/**
+ * Generate name constraints in conformance with
+ * [RFC 5280 § 4.2.1.10](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10)
+ */
+function generateNameConstraints(
+    input: GenerateNameConstraintsInput
+): forge.asn1.Asn1 {
+    const domainsToSequence = (ips: string[]) =>
+        ips.map((domain) => {
+            return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
+                asn1.create(
+                    asn1.Class.CONTEXT_SPECIFIC,
+                    2,
+                    false,
+                    util.encodeUtf8(domain)
+                ),
+            ]);
+        });
+
+    const permittedAndExcluded: forge.asn1.Asn1[] = [];
+
+    if (input.permitted && input.permitted.length > 0) {
+        permittedAndExcluded.push(
+            asn1.create(
+                asn1.Class.CONTEXT_SPECIFIC,
+                0,
+                true,
+                domainsToSequence(input.permitted)
+            )
+        );
+    }
+
+    return asn1.create(
+        asn1.Class.UNIVERSAL,
+        asn1.Type.SEQUENCE,
+        true,
+        permittedAndExcluded
+    );
+}
+
+export function generateSPKIFingerprint(certPem: PEM) {
+    let cert = pki.certificateFromPem(certPem.toString('utf8'));
+    return util.encode64(
+        pki.getPublicKeyFingerprint(cert.publicKey, {
+            type: 'SubjectPublicKeyInfo',
+            md: md.sha256.create(),
+            encoding: 'binary'
+        })
+    );
+}
+
+// Generates a unique serial number for a certificate as a hex string:
+function generateSerialNumber() {
+    return 'A' + uuid().replace(/-/g, '');
+    // We add a leading 'A' to ensure it's always positive (not 'F') and always
+    // valid (e.g. leading 000 is bad padding, and would be unparseable).
+}
+
+export async function getCA(options: CAOptions): Promise<CA> {
+    let certOptions: CertDataOptions;
+    if ('key' in options && 'cert' in options) {
+        certOptions = options;
+    }
+    else if ('keyPath' in options && 'certPath' in options) {
+        certOptions = await Promise.all([
+            fs.readFile(options.keyPath, 'utf8'),
+            fs.readFile(options.certPath, 'utf8')
+        ]).then(([ keyContents, certContents ]) => ({
+            ..._.omit(options, ['keyPath', 'certPath']),
+            key: keyContents,
+            cert: certContents
+        }));
+    }
+    else {
+        throw new Error('Unrecognized https options: you need to provide either a keyPath & certPath, or a key & cert.')
+    }
+
+    return new CA(certOptions);
+}
+
+// We share a single keypair across all certificates in this process, and
+// instantiate it once when the first CA is created, because it can be
+// expensive (depending on the key length).
+// This would be a terrible idea for a real server, but for a mock server
+// it's ok - if anybody can steal this, they can steal the CA cert anyway.
+let KEY_PAIR: {
+    publicKey: forge.pki.rsa.PublicKey,
+    privateKey: forge.pki.rsa.PrivateKey,
+    length: number
+} | undefined;
+
+export class CA {
+    private caCert: forge.pki.Certificate;
+    private caKey: forge.pki.PrivateKey;
+    private options: CertDataOptions;
+
+    private certCache: { [domain: string]: GeneratedCertificate };
+
+    constructor(options: CertDataOptions) {
+        this.caKey = pki.privateKeyFromPem(options.key.toString());
+        this.caCert = pki.certificateFromPem(options.cert.toString());
+        this.certCache = {};
+        this.options = options ?? {};
+
+        const keyLength = options.keyLength || 2048;
+
+        if (!KEY_PAIR || KEY_PAIR.length < keyLength) {
+            // If we have no key, or not a long enough one, generate one.
+            KEY_PAIR = Object.assign(
+                pki.rsa.generateKeyPair(keyLength),
+                { length: keyLength }
+            );
+        }
+    }
+
+    generateCertificate(domain: string): GeneratedCertificate {
+        // TODO: Expire domains from the cache? Based on their actual expiry?
+        if (this.certCache[domain]) return this.certCache[domain];
+
+        if (domain.includes('_')) {
+            // TLS certificates cannot cover domains with underscores, bizarrely. More info:
+            // https://www.digicert.com/kb/ssl-support/underscores-not-allowed-in-fqdns.htm
+            // To fix this, we use wildcards instead. This is only possible for one level of
+            // certificate, and only for subdomains, so our options are a little limited, but
+            // this should be very rare (because it's not supported elsewhere either).
+            const [ , ...otherParts] = domain.split('.');
+            if (
+                otherParts.length <= 1 || // *.com is never valid
+                otherParts.some(p => p.includes('_'))
+            ) {
+                throw new Error(`Cannot generate certificate for domain due to underscores: ${domain}`);
+            }
+
+            // Replace the first part with a wildcard to solve the problem:
+            domain = `*.${otherParts.join('.')}`;
+        }
+
+        let cert = pki.createCertificate();
+
+        cert.publicKey = KEY_PAIR!.publicKey;
+        cert.serialNumber = generateSerialNumber();
+
+        cert.validity.notBefore = new Date();
+        // Make it valid for the last 24h - helps in cases where clocks slightly disagree.
+        cert.validity.notBefore.setDate(cert.validity.notBefore.getDate() - 1);
+
+        cert.validity.notAfter = new Date();
+        // Valid for the next year by default. TODO: Shorten (and expire the cache) automatically.
+        cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 1);
+
+        cert.setSubject([
+            ...(domain[0] === '*'
+                ? [] // We skip the CN (deprecated, rarely used) for wildcards, since they can't be used here.
+                : [{ name: 'commonName', value: domain }]
+            ),
+            { name: 'countryName', value: this.options?.countryName ?? 'XX' }, // ISO-3166-1 alpha-2 'unknown country' code
+            { name: 'localityName', value: this.options?.localityName ?? 'Unknown' },
+            { name: 'organizationName', value: this.options?.organizationName ?? 'Mockttp Cert - DO NOT TRUST' }
+        ]);
+        cert.setIssuer(this.caCert.subject.attributes);
+
+        const policyList = forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
+            forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
+                forge.asn1.create(
+                    forge.asn1.Class.UNIVERSAL,
+                    forge.asn1.Type.OID,
+                    false,
+                    forge.asn1.oidToDer('2.5.29.32.0').getBytes() // Mark all as Domain Verified
+                )
+            ])
+        ]);
+
+        cert.setExtensions([
+            { name: 'basicConstraints', cA: false, critical: true },
+            { name: 'keyUsage', digitalSignature: true, keyEncipherment: true, critical: true },
+            { name: 'extKeyUsage', serverAuth: true, clientAuth: true },
+            {
+                name: 'subjectAltName',
+                altNames: [{
+                    type: 2,
+                    value: domain
+                }]
+            },
+            { name: 'certificatePolicies', value: policyList },
+            { name: 'subjectKeyIdentifier' },
+            {
+                name: 'authorityKeyIdentifier',
+                // We have to calculate this ourselves due to
+                // https://github.com/digitalbazaar/forge/issues/462
+                keyIdentifier: (
+                    this.caCert as any // generateSubjectKeyIdentifier is missing from node-forge types
+                ).generateSubjectKeyIdentifier().getBytes()
+            }
+        ]);
+
+        cert.sign(this.caKey, md.sha256.create());
+
+        const generatedCertificate = {
+            key: pki.privateKeyToPem(KEY_PAIR!.privateKey),
+            cert: pki.certificateToPem(cert),
+            ca: pki.certificateToPem(this.caCert)
+        };
+
+        this.certCache[domain] = generatedCertificate;
+        return generatedCertificate;
+    }
+}

package/src/util/type-utils.ts

@@ -0,0 +1,15 @@
+export type Omit<T, K> = Pick<T, Exclude<keyof T, K>>;
+
+// Turns T, making all props K required
+export type RequireProps<T, K extends keyof T> =
+    Omit<T, K> & Required<Pick<T, K>>;
+
+export type MaybePromise<T> = T | Promise<T>;
+
+type SubsetKeyOf<T, Ks extends keyof T = keyof T> = Ks;
+export type Replace<T, KV extends { [K in SubsetKeyOf<T, any>]: unknown }> =
+    Omit<T, keyof KV> & { [K in keyof KV]: KV[K] };
+
+export type Mutable<T> = {
+    -readonly [K in keyof T]: T[K]
+}

package/src/util/url.ts

@@ -0,0 +1,113 @@
+import * as url from 'url';
+import * as _ from 'lodash';
+
+import { nthIndexOf } from './util';
+
+// Is this URL fully qualified?
+// Note that this supports only HTTP - no websockets or anything else.
+export const isAbsoluteUrl = (url: string) =>
+    url.toLowerCase().startsWith('http://') ||
+    url.toLowerCase().startsWith('https://');
+
+export const isRelativeUrl = (url: string) =>
+    url.startsWith('/');
+
+export const isAbsoluteProtocollessUrl = (url: string) =>
+    !isAbsoluteUrl(url) && !isRelativeUrl(url);
+
+export const getUrlWithoutProtocol = (url: string): string => {
+    return url.split('://', 2).slice(-1).join('');
+}
+
+export const getPathFromAbsoluteUrl = (url: string) => {
+    const pathIndex = nthIndexOf(url, '/', 3);
+    if (pathIndex !== -1) {
+        return url.slice(pathIndex);
+    } else {
+        return '';
+    }
+}
+
+export const getEffectivePort = (url: { protocol: string | null, port: string | null }) => {
+    if (url.port) {
+        return parseInt(url.port, 10);
+    } else if (url.protocol === 'https:' || url.protocol === 'wss:') {
+        return 443;
+    } else {
+        return 80;
+    }
+}
+
+/**
+ * Normalizes URLs to the form used when matching them.
+ *
+ * This accepts URLs in all three formats: relative, absolute, and protocolless-absolute,
+ * and returns them in the same format but normalized.
+ */
+export const normalizeUrl: (url: string) => string =
+    _.memoize(
+        (urlInput: string): string => {
+            let parsedUrl: Partial<url.UrlWithStringQuery> | undefined;
+
+            let isProtocolless = false;
+
+            try {
+                // Strip the query and anything following it
+                const queryIndex = urlInput.indexOf('?');
+                if (queryIndex !== -1) {
+                    urlInput = urlInput.slice(0, queryIndex);
+                }
+
+                if (isAbsoluteProtocollessUrl(urlInput)) {
+                    parsedUrl = url.parse('http://' + urlInput);
+                    isProtocolless = true;
+                } else {
+                    parsedUrl = url.parse(urlInput);
+                }
+
+                // Trim out lots of the bits we don't like:
+                delete parsedUrl.host;
+                delete parsedUrl.query;
+                delete parsedUrl.search;
+                delete parsedUrl.hash;
+
+                if (parsedUrl.pathname) {
+                    parsedUrl.pathname = parsedUrl.pathname.replace(
+                        /\%[A-Fa-z0-9]{2}/g,
+                        (encoded) => encoded.toUpperCase()
+                    ).replace(
+                        /[^\u0000-\u007F]+/g,
+                        (unicodeChar) => encodeURIComponent(unicodeChar)
+                    );
+                }
+
+                if (parsedUrl.hostname && parsedUrl.hostname.endsWith('.')) {
+                    parsedUrl.hostname = parsedUrl.hostname.slice(0, -1);
+                }
+
+                if (
+                    (parsedUrl.protocol === 'https:' && parsedUrl.port === '443') ||
+                    (parsedUrl.protocol === 'http:' && parsedUrl.port === '80')
+                ) {
+                    delete parsedUrl.port;
+                }
+            } catch (e) {
+                console.log(`Failed to normalize URL ${urlInput}`);
+                console.log(e);
+
+                if (!parsedUrl) return urlInput; // Totally unparseble: use as-is
+                // If we've successfully parsed it, we format what we managed
+                // and leave it at that:
+            }
+
+            let normalizedUrl = url.format(parsedUrl);
+
+            // If the URL came in with no protocol, it should leave with
+            // no protocol (protocol added temporarily above to allow parsing)
+            if (isProtocolless) {
+                normalizedUrl = normalizedUrl.slice('http://'.length);
+            }
+
+            return normalizedUrl;
+        }
+    );