fix: prevent out-of-bounds access in NO_PROXY parsing (#25617)

## Summary - Fix out-of-bounds access when parsing `NO_PROXY` environment variable with empty entries - Empty entries (e.g., `"localhost, , example.com"`) would cause a panic when checking if the host starts with a dot - Skip empty entries after trimming whitespace fixes BUN-110G fixes BUN-128V ## Test plan - [x] Verify `NO_PROXY="localhost, , example.com"` no longer crashes 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude <noreply@anthropic.com>
2026-02-02 15:08:46 +00:00 · 2025-12-19 23:17:29 -08:00
parent 085e25d5d1
commit 99b0a16c33
2 changed files with 33 additions and 6 deletions
--- a/src/env_loader.zig
+++ b/src/env_loader.zig
@@ -189,22 +189,26 @@ pub const Loader = struct {
                    return http_proxy;
                }

-                var no_proxy_list = std.mem.splitScalar(u8, no_proxy_text, ',');
-                var next = no_proxy_list.next();
-                while (next != null) {
-                    var host = strings.trim(next.?, &strings.whitespace_chars);
+                var no_proxy_iter = std.mem.splitScalar(u8, no_proxy_text, ',');
+                while (no_proxy_iter.next()) |no_proxy_item| {
+                    var host = strings.trim(no_proxy_item, &strings.whitespace_chars);
+                    if (host.len == 0) {
+                        continue;
+                    }
                    if (strings.eql(host, "*")) {
                        return null;
                    }
                    //strips .
-                    if (host[0] == '.') {
+                    if (strings.startsWithChar(host, '.')) {
                        host = host[1..];
+                        if (host.len == 0) {
+                            continue;
+                        }
                    }
                    //hostname ends with suffix
                    if (strings.endsWith(hostname.?, host)) {
                        return null;
                    }
-                    next = no_proxy_list.next();
                }
            }
        }
--- a/test/js/bun/http/proxy.test.js
+++ b/test/js/bun/http/proxy.test.js
@@ -196,3 +196,26 @@ it.each([
    fs.unlinkSync(path);
  }
 });
+
+it.each([
+  // Empty entries in NO_PROXY should not cause out-of-bounds access
+  ["localhost, , example.com"],
+  [",localhost,example.com"],
+  ["localhost,example.com,"],
+  ["  ,  ,  "],
+  [",,,"],
+  [". , .. , ..."],
+])("NO_PROXY with empty entries does not crash: %s", async no_proxy => {
+  // We just need to verify parsing NO_PROXY doesn't crash.
+  // The fetch target doesn't matter - NO_PROXY parsing happens before the connection.
+  const { exitCode } = Bun.spawnSync({
+    cmd: [bunExe(), "-e", `fetch("http://localhost:1").catch(() => {})`],
+    env: {
+      ...bunEnv,
+      http_proxy: "http://127.0.0.1:1",
+      NO_PROXY: no_proxy,
+    },
+  });
+
+  expect(exitCode).toBe(0);
+});