static plugin ResourceNotFoundError throws on sprintf-like percent code in req.path

[trentm]

Restify version: 4.x (I'm running 4.3.0).
Node.js version: v4.8.0.

Expected behaviour

If using the restify server is using the static plugin and the client requests a path that doesn't exist, you'd expect a 404:

% curl -i http://10.99.99.21/docs/no-such-file.html
HTTP/1.1 404 Not Found
Content-Type: application/json
Content-Length: 72
Date: Mon, 26 Jun 2017 22:35:38 GMT
Connection: keep-alive

{
  "code": "ResourceNotFound",
  "message": "/docs/no-such-file.html"
}

Actual behaviour

However, if the given request path includes percent codes (for URL escaping), that also look like printf codes, then you'll get an InternalError:

 { [InternalError: too few args to sprintf]
  jse_shortmsg: '',
  jse_info: {},
  message: 'too few args to sprintf',
  statusCode: 500,
  body: { code: 'InternalError', message: 'too few args to sprintf' },
  restCode: 'InternalError',
  name: 'InternalError' }

(or a crash if your restify server is configured to not use an 'uncaughtException' handler).
This is because:

• The 'static' plugin calls: next(new ResourceNotFoundError(err, req.path()));
• ResourceNotFoundError is a RestError that is based on verror.WError, which ultimately calls extsprintf.sprintf(<path>).
• This blows up because:

> new restify.ResourceNotFoundError('/docs/not-%22such-file.html not found')
Error: too few args to sprintf
    ...

Repro case

I'll have a test case in the coming PR.

[trentm]

Note: PR 1383 above was accidentally against 5.x. PR 1384 is the correct one.

[trentm]

Fixed by #1384 for restify 4.x: published in restify@4.3.1.

I'll try to get a PR for restify@5.x soon.

[trentm]

Ah, no fix is needed for 5.x: this issue as fixed by commit fbd56f5 a long while back.

I added #1391 to add a couple tests for this case (basically the same tests added for the 4.x change fixing this).