Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(node): Fix malformed URLs crashing the server in certain cases #6746

Merged
merged 4 commits into from
Apr 4, 2023
Merged

fix(node): Fix malformed URLs crashing the server in certain cases #6746

merged 4 commits into from
Apr 4, 2023

Conversation

Princesseuh
Copy link
Member

Changes

decodeUri, encodeUri and new URL can all throw errors in some cases. This would crash the server completely in certain cases.

I checked how Express and other servers handle this, and most of them just try catch it, so figured we can do the same.

Fix #6736

Testing

Added a test

Docs

N/A

@changeset-bot
Copy link

changeset-bot bot commented Apr 4, 2023
edited
Loading

🦋 Changeset detected

Latest commit: 5b93104

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added the pkg: integration Related to any renderer integration (scope) label Apr 4, 2023
@github-actions github-actions bot added the pkg: astro Related to the core `astro` package (scope) label Apr 4, 2023
Princesseuh
Princesseuh commented Apr 4, 2023
View reviewed changes
packages/integrations/node/test/bad-urls.test.js

for (const weirdUrl of weirdURLs) {
const fetchResult = await fixture.fetch(weirdUrl);
expect([400, 500]).to.include(
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Certain URLs here return 500 instead of 400 because they pass the encodeUri, decodeUri, new URI stuff, but they fail later on in the server.

@Princesseuh Princesseuh merged commit 4cc1bf6 into main Apr 4, 2023
@Princesseuh Princesseuh deleted the fix/node-crash branch April 4, 2023 13:48
@astrobot-houston astrobot-houston mentioned this pull request Apr 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ematipico ematipico ematipico approved these changes

@bluwy bluwy bluwy approved these changes

Assignees
No one assigned
Labels
pkg: astro Related to the core `astro` package (scope) pkg: integration Related to any renderer integration (scope)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Astro server break when user input invalid url + BXSS attack
3 participants
@Princesseuh @ematipico @bluwy