An odd request can crash the process when restify.pre.sanitizePath()
is used
#1959
Open
3 tasks done
restify.pre.sanitizePath()
is used
#1959
Restify Version: 11.1.0
Node.js Version: 16, 18, 20
Expected behaviour
Restify should do its best to not crash when weird/unexpected requests are received. It should either return a standard error (e.g. if the method or route is not supported) or invoke the route handler.
Actual behaviour
Use normal
server.pre(restify.pre.sanitizePath())
middlewareSend odd request via curl e.g.
curl http://localhost:3000//
The Node process running the restify server will crash with this error:
Repro case
Please see https://github.com/nexdrew/restify-repro-1959
It includes code and instructions to reproduce the error, and it also contains possible workarounds.
Cause
This issue overlaps with #1953. The reason I created it as a separate issue is to consider not only a fix to the
prePath
logic but also to consider handling an empty pathname in the defaultRouter
for whatever reason it might occur.server.pre(restify.pre.sanitizePath())
strips multiple slashes to an empty string (as stated in prePath middleware strips multiple slashes to an empty string #1953)router.lookup(req, res)
doesn't expectreq.getUrl().pathname
to be null and doesn't gracefully handle any assertion errors that it might causeAre you willing and able to fix this?
Yes, I plan to open a PR that includes code changes for both of the workarounds demonstrated in the repro case.
The text was updated successfully, but these errors were encountered: