throw 400 in case of malformed paths

2025-12-06 12:19:51 +01:00 · 2013-12-12 02:49:16 +04:00 · 2013-12-12 02:49:16 +04:00 · 7b0dca0f9c
commit 7b0dca0f9c
parent 34c83d7d29
3 changed files with 52 additions and 39 deletions
--- a/lib/router/route.js
+++ b/lib/router/route.js
@ -57,9 +57,15 @@ Route.prototype.match = function(path){
  for (var i = 1, len = m.length; i < len; ++i) {
    var key = keys[i - 1];

-    var val = 'string' == typeof m[i]
-      ? utils.decode(m[i])
-      : m[i];
+    try {
+      var val = 'string' == typeof m[i]
+        ? decodeURIComponent(m[i])
+        : m[i];
+    } catch(e) {
+      var err = new Error("Failed to decode param '" + m[i] + "'");
+      err.status = 400;
+      throw err;
+    }

    if (key) {
      params[key.name] = val;
--- a/lib/utils.js
+++ b/lib/utils.js
@ -312,22 +312,3 @@ exports.pathRegexp = function(path, keys, sensitive, strict) {
    .replace(/\*/g, '(.*)');
  return new RegExp('^' + path + '$', sensitive ? '' : 'i');
 }
-
-
-/**
- * Decodes a URI component. Returns
- * the original string if the component
- * is malformed.
- *
- * @param  {String} str
- * @return {String}
- * @api private
- */
-
-exports.decode = function(str) {
-  try {
-    return decodeURIComponent(str);
-  } catch (e) {
-    return str;
-  }
-}
--- a/test/app.router.js
+++ b/test/app.router.js
@ -27,28 +27,54 @@ describe('app.router', function(){
    });
  })

-  it('should decode params', function(done){
-    var app = express();
+  describe('decode querystring', function(){
+    it('should decode correct params', function(done){
+      var app = express();

-    app.get('/:name', function(req, res, next){
-      res.send(req.params.name);
-    });
+      app.get('/:name', function(req, res, next){
+        res.send(req.params.name);
+      });

-    request(app)
-    .get('/foo%2Fbar')
-    .expect('foo/bar', done);
-  })
+      request(app)
+      .get('/foo%2Fbar')
+      .expect('foo/bar', done);
+    })

-  it('should accept params in malformed paths', function(done) {
-    var app = express();
+    it('should not accept params in malformed paths', function(done) {
+      var app = express();

-    app.get('/:name', function(req, res, next){
-      res.send(req.params.name);
-    });
+      app.get('/:name', function(req, res, next){
+        res.send(req.params.name);
+      });

-    request(app)
-    .get('/%foobar')
-    .expect('%foobar', done);
+      request(app)
+      .get('/%foobar')
+      .expect(400, done);
+    })
+
+    it('should not decode spaces', function(done) {
+      var app = express();
+
+      app.get('/:name', function(req, res, next){
+        res.send(req.params.name);
+      });
+
+      request(app)
+      .get('/foo+bar')
+      .expect('foo+bar', done);
+    })
+
+    it('should work with unicode', function(done) {
+      var app = express();
+
+      app.get('/:name', function(req, res, next){
+        res.send(req.params.name);
+      });
+
+      request(app)
+      .get('/%ce%b1')
+      .expect('\u03b1', done);
+    })
  })

  it('should be .use()able', function(done){