New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(static): avoid user-provided data in Error messages being interpreted as sprintf codes #1384
Conversation
…erpreted as sprintf codes The 'static' plugin had a few cases where the path in a request would be passed as the first ("message") field to a RestError constructor. RestError uses verror.WError, which uses extsprintf to render the given arguments. If the "message" includes "%...s" or similar printf codes, then it will error output. Also bump to 4.3.1.
Hey @trentm! Thank you for the thorough bug report paired with a PR! ❤️ I'm tagging this as unconfirmed until a maintainer runs the repro case (which should be soon ™️) At a quick glance, updating the |
@retrohacker Sure I could remove those parts if you like. FWIW, I am a maintainer of restify (though not the most active) and have commit rights. I don't speak regularly with the other maintainers and haven't for a while, so I was feeling out the process a bit. I was hoping to get a review/+1 and then quickly do a patch level release with this change. |
The check failure looks like a spurious timing-related test failure unrelated to my change:
from https://travis-ci.org/restify/node-restify/jobs/247301081
|
Oh snap 😊 I'm new, sorry! And yeah, the audit logger tests have transient failures. I opened an issue here but haven't had time to take a look. Re-triggering almost always gets the test to pass but it is very irritating: https://github.com/restify/node-restify/issues/created_by/retrohacker |
No problem at all. :) Thanks for working on restify issues! |
@@ -984,6 +984,39 @@ test('GH-719 serve a specific static file', function (t) { | |||
serveStaticTest(t, false, '.tmp', null, true); | |||
}); | |||
|
|||
test('static responds 404 for missing file', function (t) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, this test was missing
test/plugins.test.js
Outdated
// > new restify.ResourceNotFoundError('/%22s not found') | ||
// Error: too few args to sprintf | ||
test('static responds 404 for missing file with percent-codes', function (t) { | ||
var p = '/public/no-%22such-file.json'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great test!
test/plugins.test.js
Outdated
}); | ||
}); | ||
|
||
// Earlier versons would throw: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment makes sense in the context of this PR, but may be confusing to future readers who don't have this context. Also, test name should begin with GH-1382
.
Everything here looks good. Note that we are going to be shipping 5.x this week ^_^ will leave #1382 open until a PR is submitted for the 5.x branch ❤️ |
@retrohacker Do you want a PR for this for 5.x before that release? |
@trentm That would be awesome 🤘 |
Actually, it looks like we are shipping 5.x today ^_^ a review will probably take longer than that this can be shipped as a |
@retrohacker Cool, thanks. Are we waiting for anything on this ticket, do you know? I'd love to merge this and get a 4.3.1 release out with it. |
@trentm everything LGTM. I'm still getting a feel for what consensus looks like, but I'm okay merging with 1 review unless @yunong @DonutEspresso or @rajatkumar have an objection to that policy. |
Objections to me (squash) merging this and doing a 4.3.1 release? I'll do that tomorrow morning unless someone screams. :) Thanks @retrohacker ! |
Sorry about the long (and slightly inaccurate) commit message for that merge. I missed seeing all that content for the commit message that was below the fold (scroll down) in the message box UI that GitHub provided. |
This is published in restify@4.3.1 now. |
🎉 |
…eted as sprintf codes (#1384) The 'static' plugin had a few cases where the path in a request would be passed as the first ("message") field to a RestError constructor. RestError uses verror.WError, which uses extsprintf to render the given arguments. If the "message" includes "%...s" or similar printf codes, then it will error output. Also bump to 4.3.1. * drop ver bump changes, per review comments * update test name and drop comment (unnecessary with issue ref) per review comments
…eted as sprintf codes (#1384) (#1472) The 'static' plugin had a few cases where the path in a request would be passed as the first ("message") field to a RestError constructor. RestError uses verror.WError, which uses extsprintf to render the given arguments. If the "message" includes "%...s" or similar printf codes, then it will error output.
The 'static' plugin had a few cases where the path in a request would be
passed as the first ("message") field to a RestError constructor.
RestError uses verror.WError, which uses extsprintf to render the given
arguments. If the "message" includes "%...s" or similar printf codes,
then it will error output.
Also bump to 4.3.1.
Fixes #1382.