From 3c480159868746157417ce9cd1c1c69b76a8e7cc Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Sat, 14 Mar 2026 09:40:43 -0700 Subject: [PATCH] [Fix] `nvm_get_mirror`: fix awk URL validation to actually reject invalid URLs The awk expression `$0 ~ "regex"` as a bare statement in the action block evaluates the match but doesn't affect the exit code. awk always prints the line and exits 0, making the validation a no-op. Bug introduced in https://github.com/nvm-sh/nvm/commit/b1fa143dd8cbebd9847972c08fb383646ca00642. --- nvm.sh | 2 +- test/fast/Unit tests/nvm_get_mirror | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/nvm.sh b/nvm.sh index bc80f34..390ee0d 100755 --- a/nvm.sh +++ b/nvm.sh @@ -2247,7 +2247,7 @@ nvm_get_mirror() { esac - if ! nvm_echo "${NVM_MIRROR}" | command awk '{ $0 ~ "^https?://[a-zA-Z0-9./_-]+$" }'; then + if ! nvm_echo "${NVM_MIRROR}" | command awk '{ if ($0 !~ /^https?:\/\/[a-zA-Z0-9.\/_-]+$/) exit 1 }'; then nvm_err '$NVM_NODEJS_ORG_MIRROR and $NVM_IOJS_ORG_MIRROR may only contain a URL' return 2 fi diff --git a/test/fast/Unit tests/nvm_get_mirror b/test/fast/Unit tests/nvm_get_mirror index a8a4255..0c16ff4 100755 --- a/test/fast/Unit tests/nvm_get_mirror +++ b/test/fast/Unit tests/nvm_get_mirror @@ -46,3 +46,9 @@ testMirrors '`do something bad`' testMirrors 'https://nodejs.org/dist; xdg-open http://www.google.com;' testMirrors 'https://nodejs.org/dist&&xdg-open http://www.google.com;' testMirrors 'https://nodejs.org/dist|xdg-open http://www.google.com;' + +# Test that awk URL validation rejects non-URL values +testMirrors 'not a url' +testMirrors 'ftp://wrong-scheme' +testMirrors 'http://' +testMirrors 'javascript:alert(1)'