fix: handle trailing slashes on root route and avoid crashes due to AssertionError
s thrown by odd requests
#1960
+76
−9
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pre-Submission Checklist
make prepush
Issues
Closes:
restify.pre.sanitizePath()
is used #1959The issues demonstrate how restify can crash the node process when using
server.pre(restify.pre.sanitizePath())
and a request with trailing slashes on root is received. I experienced this via intruder.io scanning against my production API application that uses restify. Please see the repro case here as referenced in #1959.Changes
This PR makes 3 basic changes, each with at least one new unit test:
Changes the
sanitizePath
middleware in lib/plugins/pre/prePath.js to return a root url (/
) instead of an empty string in the case where the actual url consists of more than one slash e.g.//
or///
. This helps avoid numbers 2 and 3 below.Changes the
lookup
method in lib/router.js to returnundefined
whenreq.getUrl().pathname
is falsy. This helps avoid callingthis._registry.lookup(req.method, pathname)
which will result in anAssertionError
in the case that thepathname
is falsy, for whatever reason.Changes the
defaultRoute
method in lib/router.js to expect/handle a falsypathname
by skipping registry lookup (which would throw anAssertionError
) and raising the standardResourceNotFoundError
(which results in 404 response) with the message "Requested path does not exist". This, along with number 2, allows restify to gracefully handle a falsypathname
for whatever reason.All changes are covered by unit tests, namely:
sanitizePath
in test/plugins/plugins.test.jsGH-1959: lookup returns undefined when no handler found
in test/router.test.jsGH-1959: route handles 404 when pathname invalid
in test/router.test.jsThis is an attempt to make restify more robust and avoid crashes due to odd requests, if possible.
Please let me know if you have any questions or if you'd like me to change anything. Thanks!