fix(node): validate host header

invalid host header like localhost:3001/abchehe? can cause inconsistent pathname in slowpath of FastURL

Author: pi0

src/adapters/_node/url.ts

@@ -1,6 +1,13 @@
 import type { NodeServerRequest } from "../../types.ts";
 import { FastURL } from "../../_url.ts";
 
+/**
+ * Validates an HTTP Host header value (domain, IPv4, or bracketed IPv6) with optional port.
+ * Intended for preliminary filtering invalid values like "localhost:3000/foobar?"
+ */
+export const HOST_RE: RegExp =
+  /^(\[(?:[A-Fa-f0-9:.]+)\]|(?:[A-Za-z0-9_-]+\.)*[A-Za-z0-9_-]+|(?:\d{1,3}\.){3}\d{1,3})(:\d{1,5})?$/;
+
 export class NodeRequestURL extends FastURL {
   #req: NodeServerRequest;
 
@@ -11,10 +18,16 @@ export class NodeRequestURL extends FastURL {
       const pathname = qIndex === -1 ? path : path?.slice(0, qIndex) || "/";
       const search = qIndex === -1 ? "" : path?.slice(qIndex) || "";
 
-      const host =
-        req.headers.host ||
-        (req.headers[":authority"] as string) ||
-        `${req.socket.localFamily === "IPv6" ? "[" + req.socket.localAddress + "]" : req.socket.localAddress}:${req.socket?.localPort || "80"}`;
+      let host = req.headers.host || (req.headers[":authority"] as string);
+      if (host) {
+        if (!HOST_RE.test(host)) {
+          throw new TypeError(`Invalid host header: ${host}`);
+        }
+      } else if (req.socket) {
+        host = `${req.socket.localFamily === "IPv6" ? "[" + req.socket.localAddress + "]" : req.socket.localAddress}:${req.socket?.localPort || "80"}`;
+      } else {
+        host = "localhost";
+      }
 
       const protocol =
         (req.socket as any)?.encrypted ||