2979dd66df
* Add some path blockers for malicious requests Closes https://github.com/github/docs-engineering/issues/759 * Reorder checks and respond with 404 in one case
58 lines
1.5 KiB
JavaScript
58 lines
1.5 KiB
JavaScript
import patterns from '../lib/patterns.js'
|
|
|
|
export default function handleInvalidPaths(req, res, next) {
|
|
// prevent open redirect vulnerability
|
|
if (req.path.match(patterns.multipleSlashes)) {
|
|
return next(404)
|
|
}
|
|
|
|
// Prevent Express from blowing up with `URIError: Failed to decode param`
|
|
// for paths like /%7B%
|
|
try {
|
|
decodeURIComponent(req.path)
|
|
} catch (err) {
|
|
if (process.env.NODE_ENV !== 'test') {
|
|
console.error('unable to decode path', req.path, err)
|
|
}
|
|
|
|
return res.sendStatus(400)
|
|
}
|
|
|
|
// Prevent spammy request URLs from getting through by checking how they
|
|
// handle being normalized twice in a row
|
|
try {
|
|
const origin = 'https://docs.github.com'
|
|
const normalizedPath = new URL(req.path, origin).pathname
|
|
|
|
// This may also throw an error with code `ERR_INVALID_URL`
|
|
const reNormalizedPath = new URL(normalizedPath, origin).pathname
|
|
|
|
if (reNormalizedPath !== normalizedPath) {
|
|
throw new Error('URI keeps changing')
|
|
}
|
|
} catch (err) {
|
|
if (process.env.NODE_ENV !== 'test') {
|
|
console.error('unable to normalize path', req.path, err)
|
|
}
|
|
|
|
return res.sendStatus(400)
|
|
}
|
|
|
|
// Prevent some script tag injection attacks
|
|
if (req.path.match(/<script/i)) {
|
|
return res.sendStatus(400)
|
|
}
|
|
|
|
// Prevent some injection attacks targeting Fastly
|
|
if (req.path.match(/<esi:include/i)) {
|
|
return res.sendStatus(400)
|
|
}
|
|
|
|
// Prevent various malicious injection attacks targeting Next.js
|
|
if (req.path.match(/^\/_next[^/]/)) {
|
|
return next(404)
|
|
}
|
|
|
|
return next()
|
|
}
|