Missing URL normalization for HTTP_PROXY and HTTPS_PROXY

[LorenzoLeonardini]

What version of Bun is running?

1.1.43-debug (f0cb1b7)

The bug

When loading HTTP and HTTPS proxy configurations from the environment, Bun fails to normalize the URLs with WebKit's parser.

Every other occurency of Bun's custom URL parser normalizes the URL with WebKit's parser first (example from response.zig).

This is extremely important, as Bun's URL parser is extremely naive and subject to many parsing errors. More info about this in the dedicated issue #16183 (this is kept separate, as with proper URL normalization it's not something that really needs fixing, at least until some other bug is found).

Impact

The impact of this is quite limited, as one would need to inject badly formatted URLs in the environment variable, and would only be useful to bypass whitelist URL checks performed with another parser (or with normalized URLs). What I mean is that something like this could be bypassed:

if (process.env.HTTP_PROXY) {
  const u = new URL(process.env.HTTP_PROXY);
  if (u.hostname !== "example.com" && u.hostname !== "bun.sh") {
    throw new Error("Invalid proxy");
  }
}

As you can see, the scenario is very specific.

However, it's important to add the normalization in order to make URLs consistent everywhere.