From 7b0dca0f9c7eb0c79fbc4e487a06357ab35347e7 Mon Sep 17 00:00:00 2001 From: Alex Kocharin Date: Thu, 12 Dec 2013 02:49:16 +0400 Subject: [PATCH] throw 400 in case of malformed paths --- lib/router/route.js | 12 ++++++--- lib/utils.js | 19 -------------- test/app.router.js | 60 ++++++++++++++++++++++++++++++++------------- 3 files changed, 52 insertions(+), 39 deletions(-) diff --git a/lib/router/route.js b/lib/router/route.js index 4334c88e..d7ec88d2 100644 --- a/lib/router/route.js +++ b/lib/router/route.js @@ -57,9 +57,15 @@ Route.prototype.match = function(path){ for (var i = 1, len = m.length; i < len; ++i) { var key = keys[i - 1]; - var val = 'string' == typeof m[i] - ? utils.decode(m[i]) - : m[i]; + try { + var val = 'string' == typeof m[i] + ? decodeURIComponent(m[i]) + : m[i]; + } catch(e) { + var err = new Error("Failed to decode param '" + m[i] + "'"); + err.status = 400; + throw err; + } if (key) { params[key.name] = val; diff --git a/lib/utils.js b/lib/utils.js index f19061bc..b30873a8 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -312,22 +312,3 @@ exports.pathRegexp = function(path, keys, sensitive, strict) { .replace(/\*/g, '(.*)'); return new RegExp('^' + path + '$', sensitive ? '' : 'i'); } - - -/** - * Decodes a URI component. Returns - * the original string if the component - * is malformed. - * - * @param {String} str - * @return {String} - * @api private - */ - -exports.decode = function(str) { - try { - return decodeURIComponent(str); - } catch (e) { - return str; - } -} diff --git a/test/app.router.js b/test/app.router.js index 65c98c72..c2bd082c 100644 --- a/test/app.router.js +++ b/test/app.router.js @@ -27,28 +27,54 @@ describe('app.router', function(){ }); }) - it('should decode params', function(done){ - var app = express(); + describe('decode querystring', function(){ + it('should decode correct params', function(done){ + var app = express(); - app.get('/:name', function(req, res, next){ - res.send(req.params.name); - }); + app.get('/:name', function(req, res, next){ + res.send(req.params.name); + }); - request(app) - .get('/foo%2Fbar') - .expect('foo/bar', done); - }) + request(app) + .get('/foo%2Fbar') + .expect('foo/bar', done); + }) - it('should accept params in malformed paths', function(done) { - var app = express(); + it('should not accept params in malformed paths', function(done) { + var app = express(); - app.get('/:name', function(req, res, next){ - res.send(req.params.name); - }); + app.get('/:name', function(req, res, next){ + res.send(req.params.name); + }); - request(app) - .get('/%foobar') - .expect('%foobar', done); + request(app) + .get('/%foobar') + .expect(400, done); + }) + + it('should not decode spaces', function(done) { + var app = express(); + + app.get('/:name', function(req, res, next){ + res.send(req.params.name); + }); + + request(app) + .get('/foo+bar') + .expect('foo+bar', done); + }) + + it('should work with unicode', function(done) { + var app = express(); + + app.get('/:name', function(req, res, next){ + res.send(req.params.name); + }); + + request(app) + .get('/%ce%b1') + .expect('\u03b1', done); + }) }) it('should be .use()able', function(done){