Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Astro server break when user input invalid url + BXSS attack #6736

Closed
1 task
harrytran998 opened this issue Apr 3, 2023 · 6 comments · Fixed by #6746
Closed
1 task

Astro server break when user input invalid url + BXSS attack #6736

harrytran998 opened this issue Apr 3, 2023 · 6 comments · Fixed by #6746
Assignees
Labels
- P5: urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority)

Comments

@harrytran998
Copy link

harrytran998 commented Apr 3, 2023

What version of astro are you using?

latest

Are you using an SSR adapter? If so, which one?

Node Standalone

What package manager are you using?

yarn 3

What operating system are you using?

Mac

What browser are you using?

All

Describe the Bug

When the user enters something wrong url --> Astro server is down immediately.

Something path like this asdasdasd@ax_zX=.zxczas🐥%/úadasd000%/

Your team can go any project with Astro + Stackblitz + add the route params like that in URL --> Bum, down.

The error occur in createServer function.

function createServer({ client, port, host, removeBase }, handler) {
  const listener = (req, res) => {
    if (req.url) {
      let pathname = removeBase(req.url);
      pathname = pathname[0] === "/" ? pathname : "/" + pathname;
      pathname = new URL(pathname, `http://${host}:${port}`).pathname;
	  ///////// BUG HERE ❌❌❌
	  --> encodeURI(decodeURI(pathname)) failed -> Should add a try catch --> or something like forward to 404 page
	  -----
      const stream = send(req, encodeURI(decodeURI(pathname)), {
        root: fileURLToPath(client),
        dotfiles: pathname.startsWith("/.well-known/") ? "allow" : "deny"
      });

Hope your team can fix this 🥹

Link to Minimal Reproducible Example

https://stackblitz.com/github/withastro/astro/tree/latest/examples/basics?file=README.md&on=stackblitz

Participation

  • I am willing to submit a pull request for this issue.
@jamesli2021
Copy link

At the same time, could worth checking that url should not exceed 2048 characters and supported locale url.

@harrytran998
Copy link
Author

Yup, we should have a hook or a function to validate the URL.

@harrytran998
Copy link
Author

Today, our website is still down because we have a lot of attacks with BSXX. Hope your team can fix it. If hacker notice, a lot of Astro users will effect!

@harrytran998 harrytran998 changed the title Astro break when user input invalid url - contains special character Astro server break when user input invalid url + BXSS attack Apr 4, 2023
@Princesseuh Princesseuh added the - P5: urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority) label Apr 4, 2023
@Princesseuh
Copy link
Member

Princesseuh commented Apr 4, 2023

Hmm, I can't seems to reproduce.

  • In dev, there's an error in the terminal, sure, but the server does not go down.
  • In SSR, I just get a 404 and the server does not crash.

Do you have a better reproduction you could share?

@Princesseuh Princesseuh added needs response Issue needs response from OP and removed - P5: urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority) labels Apr 4, 2023
@Princesseuh
Copy link
Member

Ah nevermind, just I sent my message I was able to reproduce 🤦‍♀️ Seems like you can't trigger it from a browser necessarily, needed to use curl

@Princesseuh Princesseuh added - P5: urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority) and removed needs response Issue needs response from OP labels Apr 4, 2023
@Princesseuh Princesseuh self-assigned this Apr 4, 2023
@harrytran998
Copy link
Author

harrytran998 commented Apr 4, 2023

Thanks for the quick response. I was making a quick around to patch the @astroj/node. But hope you can do this officially.

Bxss attack include in path name like this: /\\xfs.bxss.me%3Fastrojs.com/hello-world

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
- P5: urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants