-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Astro server break when user input invalid url + BXSS attack #6736
Comments
At the same time, could worth checking that url should not exceed 2048 characters and supported locale url. |
Yup, we should have a hook or a function to validate the URL. |
Today, our website is still down because we have a lot of attacks with BSXX. Hope your team can fix it. If hacker notice, a lot of Astro users will effect! |
Hmm, I can't seems to reproduce.
Do you have a better reproduction you could share? |
Ah nevermind, just I sent my message I was able to reproduce 🤦♀️ Seems like you can't trigger it from a browser necessarily, needed to use |
Thanks for the quick response. I was making a quick around to patch the @astroj/node. But hope you can do this officially. Bxss attack include in path name like this: |
What version of
astro
are you using?latest
Are you using an SSR adapter? If so, which one?
Node Standalone
What package manager are you using?
yarn 3
What operating system are you using?
Mac
What browser are you using?
All
Describe the Bug
When the user enters something wrong url --> Astro server is down immediately.
Something path like this
asdasdasd@ax_zX=.zxczas🐥%/úadasd000%/
Your team can go any project with Astro + Stackblitz + add the route params like that in URL --> Bum, down.
The error occur in
createServer
function.Hope your team can fix this 🥹
Link to Minimal Reproducible Example
https://stackblitz.com/github/withastro/astro/tree/latest/examples/basics?file=README.md&on=stackblitz
Participation
The text was updated successfully, but these errors were encountered: