From f5b6e67aed1d8e81c30bd5be7bb88dbbfabfeb64 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Sun, 18 Aug 2024 13:37:51 -0500 Subject: [PATCH 01/11] docs: update scorecard link (#5814) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- Readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index 0fa719e2..34362d85 100644 --- a/Readme.md +++ b/Readme.md @@ -254,6 +254,6 @@ The original author of Express is [TJ Holowaychuk](https://github.com/tj) [npm-install-size-url]: https://packagephobia.com/result?p=express [npm-url]: https://npmjs.org/package/express [npm-version-image]: https://badgen.net/npm/v/express -[ossf-scorecard-badge]: https://api.securityscorecards.dev/projects/github.com/expressjs/express/badge -[ossf-scorecard-visualizer]: https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/expressjs/express +[ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/express/badge +[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/express [Code of Conduct]: https://github.com/expressjs/express/blob/master/Code-Of-Conduct.md From e35380a39d94937e3d0f7119e0efbc7cd69d003f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 19 Aug 2024 22:12:24 +0200 Subject: [PATCH 02/11] docs: add @IamLizu to the triage team (#5836) PR-URL: https://github.com/expressjs/express/pull/5836 --- Readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Readme.md b/Readme.md index 34362d85..bc108d55 100644 --- a/Readme.md +++ b/Readme.md @@ -202,6 +202,7 @@ The original author of Express is [TJ Holowaychuk](https://github.com/tj) * [3imed-jaberi](https://github.com/3imed-jaberi) - **Imed Jaberi** * [dakshkhetan](https://github.com/dakshkhetan) - **Daksh Khetan** (he/him) * [lucasraziel](https://github.com/lucasraziel) - **Lucas Soares Do Rego** +* [IamLizu](https://github.com/IamLizu) - **S M Mahmudul Hasan** (he/him) * [Sushmeet](https://github.com/Sushmeet) - **Sushmeet Sunger**
From c5addb9a17c5b4c9fccdd2c04153a30595e03385 Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Wed, 21 Aug 2024 20:15:02 -0700 Subject: [PATCH 03/11] deps: path-to-regexp@0.1.8 (#5603) --- History.md | 2 ++ package.json | 2 +- test/app.router.js | 26 ++++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/History.md b/History.md index c02b24ff..d81f423d 100644 --- a/History.md +++ b/History.md @@ -1,6 +1,8 @@ unreleased ========== + * deps: path-to-regexp@0.1.8 + - Adds support for named matching groups in the routes using a regex * deps: encodeurl@~2.0.0 - Removes encoding of `\`, `|`, and `^` to align better with URL spec * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie` diff --git a/package.json b/package.json index 71781e11..e88618f9 100644 --- a/package.json +++ b/package.json @@ -47,7 +47,7 @@ "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.7", + "path-to-regexp": "0.1.8", "proxy-addr": "~2.0.7", "qs": "6.11.0", "range-parser": "~1.2.1", diff --git a/test/app.router.js b/test/app.router.js index 707333f0..8e427bd6 100644 --- a/test/app.router.js +++ b/test/app.router.js @@ -193,6 +193,23 @@ describe('app.router', function(){ .expect('editing user 10', done); }) + if (supportsRegexp('(?.*)')) { + it('should populate req.params with named captures', function(done){ + var app = express(); + var re = new RegExp('^/user/(?[0-9]+)/(view|edit)?$'); + + app.get(re, function(req, res){ + var id = req.params.userId + , op = req.params[0]; + res.end(op + 'ing user ' + id); + }); + + request(app) + .get('/user/10/edit') + .expect('editing user 10', done); + }) + } + it('should ensure regexp matches path prefix', function (done) { var app = express() var p = [] @@ -1114,3 +1131,12 @@ describe('app.router', function(){ assert.strictEqual(app.get('/', function () {}), app) }) }) + +function supportsRegexp(source) { + try { + new RegExp(source) + return true + } catch (e) { + return false + } +} From a3e7e05e0a435b7b4be25bd38d8d0ca19a773ca9 Mon Sep 17 00:00:00 2001 From: S M Mahmudul Hasan Date: Thu, 22 Aug 2024 22:25:14 +0600 Subject: [PATCH 04/11] docs: specify new instructions for `question` and `discuss` PR-URL: https://github.com/expressjs/express/pull/5835 --- Triager-Guide.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Triager-Guide.md b/Triager-Guide.md index a2909ef3..c15e6be5 100644 --- a/Triager-Guide.md +++ b/Triager-Guide.md @@ -9,11 +9,18 @@ classification: * `needs triage`: This can be kept if the triager is unsure which next steps to take * `awaiting more info`: If more info has been requested from the author, apply this label. -* `question`: User questions that do not appear to be bugs or enhancements. -* `discuss`: Topics for discussion. Might end in an `enhancement` or `question` label. * `bug`: Issues that present a reasonable conviction there is a reproducible bug. * `enhancement`: Issues that are found to be a reasonable candidate feature additions. +If the issue is a question or discussion, it should be moved to GitHub Discussions. + +### Moving Discussions and Questions to GitHub Discussions + +For issues labeled with `question` or `discuss`, it is recommended to move them to GitHub Discussions instead: + +* **Questions**: User questions that do not appear to be bugs or enhancements should be moved to GitHub Discussions. +* **Discussions**: Topics for discussion should be moved to GitHub Discussions. If the discussion leads to a new feature or bug identification, it can be moved back to Issues. + In all cases, issues may be closed by maintainers if they don't receive a timely response when further information is sought, or when additional questions are asked. From 2a980ad16052e53b398c9953fea50e3daa0b495c Mon Sep 17 00:00:00 2001 From: Anna Bocharova Date: Fri, 23 Aug 2024 22:39:13 +0200 Subject: [PATCH 05/11] merge-descriptors@1.0.3 (#5781) * Allow patches for `merge-descriptors` dependency * Set fixed latest of v1 (1.0.3) --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e88618f9..91e29013 100644 --- a/package.json +++ b/package.json @@ -43,7 +43,7 @@ "finalhandler": "1.2.0", "fresh": "0.5.2", "http-errors": "2.0.0", - "merge-descriptors": "1.0.1", + "merge-descriptors": "1.0.3", "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", From 125bb742a38cd97938a3932b47cc301e41c31f5d Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Mon, 9 Sep 2024 14:02:06 -0700 Subject: [PATCH 06/11] path-to-regexp@0.1.10 (#5902) * path-to-regexp@0.1.10 * Update History.md --- History.md | 3 ++- package.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/History.md b/History.md index d81f423d..b0aa2e09 100644 --- a/History.md +++ b/History.md @@ -1,8 +1,9 @@ unreleased ========== - * deps: path-to-regexp@0.1.8 + * deps: path-to-regexp@0.1.10 - Adds support for named matching groups in the routes using a regex + - Adds backtracking protection to parameters without regexes defined * deps: encodeurl@~2.0.0 - Removes encoding of `\`, `|`, and `^` to align better with URL spec * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie` diff --git a/package.json b/package.json index 91e29013..87cf10be 100644 --- a/package.json +++ b/package.json @@ -47,7 +47,7 @@ "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.8", + "path-to-regexp": "0.1.10", "proxy-addr": "~2.0.7", "qs": "6.11.0", "range-parser": "~1.2.1", From 54271f69b511fea198471e6ff3400ab805d6b553 Mon Sep 17 00:00:00 2001 From: Chris de Almeida Date: Mon, 9 Sep 2024 17:16:58 -0500 Subject: [PATCH 07/11] fix: don't render redirect values in anchor href MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- lib/response.js | 2 +- test/res.redirect.js | 24 +++++++++++++++++++++--- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/lib/response.js b/lib/response.js index 68d969ff..76b6b54a 100644 --- a/lib/response.js +++ b/lib/response.js @@ -969,7 +969,7 @@ res.redirect = function redirect(url) { html: function(){ var u = escapeHtml(address); - body = '

' + statuses.message[status] + '. Redirecting to ' + u + '

' + body = '

' + statuses.message[status] + '. Redirecting to ' + u + '

' }, default: function(){ diff --git a/test/res.redirect.js b/test/res.redirect.js index 5ffc7e48..f7214d93 100644 --- a/test/res.redirect.js +++ b/test/res.redirect.js @@ -106,7 +106,7 @@ describe('res', function(){ .set('Accept', 'text/html') .expect('Content-Type', /html/) .expect('Location', 'http://google.com') - .expect(302, '

Found. Redirecting to http://google.com

', done) + .expect(302, '

Found. Redirecting to http://google.com

', done) }) it('should escape the url', function(done){ @@ -122,9 +122,27 @@ describe('res', function(){ .set('Accept', 'text/html') .expect('Content-Type', /html/) .expect('Location', '%3Cla\'me%3E') - .expect(302, '

Found. Redirecting to %3Cla'me%3E

', done) + .expect(302, '

Found. Redirecting to %3Cla'me%3E

', done) }) + it('should not render evil javascript links in anchor href (prevent XSS)', function(done){ + var app = express(); + var xss = 'javascript:eval(document.body.innerHTML=`

XSS

`);'; + var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);'; + + app.use(function(req, res){ + res.redirect(xss); + }); + + request(app) + .get('/') + .set('Host', 'http://example.com') + .set('Accept', 'text/html') + .expect('Content-Type', /html/) + .expect('Location', encodedXss) + .expect(302, '

Found. Redirecting to ' + encodedXss +'

', done); + }); + it('should include the redirect type', function(done){ var app = express(); @@ -137,7 +155,7 @@ describe('res', function(){ .set('Accept', 'text/html') .expect('Content-Type', /html/) .expect('Location', 'http://google.com') - .expect(301, '

Moved Permanently. Redirecting to http://google.com

', done); + .expect(301, '

Moved Permanently. Redirecting to http://google.com

', done); }) }) From ec4a01b6b8814d7b007f36a3023f4dbafdbc3d09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 10 Sep 2024 01:36:30 +0200 Subject: [PATCH 08/11] feat: upgrade to body-parser@1.20.3 (#5926) PR-URL: https://github.com/expressjs/express/pull/5926 --- History.md | 5 ++++- package.json | 2 +- test/express.urlencoded.js | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/History.md b/History.md index b0aa2e09..904db45b 100644 --- a/History.md +++ b/History.md @@ -1,6 +1,9 @@ unreleased ========== - + * deps: body-parser@0.6.0 + * add `depth` option to customize the depth level in the parser + * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) + * Remove link renderization in html while using `res.redirect` * deps: path-to-regexp@0.1.10 - Adds support for named matching groups in the routes using a regex - Adds backtracking protection to parameters without regexes defined diff --git a/package.json b/package.json index 87cf10be..4c0fea2d 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,7 @@ "dependencies": { "accepts": "~1.3.8", "array-flatten": "1.1.1", - "body-parser": "1.20.2", + "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", "cookie": "0.6.0", diff --git a/test/express.urlencoded.js b/test/express.urlencoded.js index e07432c8..537fb797 100644 --- a/test/express.urlencoded.js +++ b/test/express.urlencoded.js @@ -212,7 +212,7 @@ describe('express.urlencoded()', function () { it('should parse deep object', function (done) { var str = 'foo' - for (var i = 0; i < 500; i++) { + for (var i = 0; i < 32; i++) { str += '[p]' } @@ -230,7 +230,7 @@ describe('express.urlencoded()', function () { var depth = 0 var ref = obj.foo while ((ref = ref.p)) { depth++ } - assert.strictEqual(depth, 500) + assert.strictEqual(depth, 32) }) .expect(200, done) }) From 9ebe5d500d22cbb2b8aaa73446866b084c747971 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 10 Sep 2024 02:46:25 +0200 Subject: [PATCH 09/11] feat: upgrade to send@0.19.0 (#5928) --- History.md | 2 ++ package.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/History.md b/History.md index 904db45b..9f47885e 100644 --- a/History.md +++ b/History.md @@ -1,5 +1,7 @@ unreleased ========== + * deps: send@0.19.0 + * Remove link renderization in html while redirecting * deps: body-parser@0.6.0 * add `depth` option to customize the depth level in the parser * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) diff --git a/package.json b/package.json index 4c0fea2d..1dc8c5b7 100644 --- a/package.json +++ b/package.json @@ -52,7 +52,7 @@ "qs": "6.11.0", "range-parser": "~1.2.1", "safe-buffer": "5.2.1", - "send": "0.18.0", + "send": "0.19.0", "serve-static": "1.15.0", "setprototypeof": "1.2.0", "statuses": "2.0.1", From 4c9ddc1c47bf579e55c2fe837d76a952e9fd8959 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 10 Sep 2024 03:24:32 +0200 Subject: [PATCH 10/11] feat: upgrade to serve-static@0.16.0 --- History.md | 2 ++ package.json | 2 +- test/express.static.js | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/History.md b/History.md index 9f47885e..3fe5fc7a 100644 --- a/History.md +++ b/History.md @@ -1,5 +1,7 @@ unreleased ========== + * deps: serve-static@0.16.0 + * Remove link renderization in html while redirecting * deps: send@0.19.0 * Remove link renderization in html while redirecting * deps: body-parser@0.6.0 diff --git a/package.json b/package.json index 1dc8c5b7..e9045763 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "range-parser": "~1.2.1", "safe-buffer": "5.2.1", "send": "0.19.0", - "serve-static": "1.15.0", + "serve-static": "1.16.0", "setprototypeof": "1.2.0", "statuses": "2.0.1", "type-is": "~1.6.18", diff --git a/test/express.static.js b/test/express.static.js index 245fd592..23e607ed 100644 --- a/test/express.static.js +++ b/test/express.static.js @@ -486,7 +486,7 @@ describe('express.static()', function () { request(this.app) .get('/users') .expect('Location', '/users/') - .expect(301, //, done) + .expect(301, /\/users\//, done) }) it('should redirect directories with query string', function (done) { @@ -508,7 +508,7 @@ describe('express.static()', function () { .get('/snow') .expect('Location', '/snow%20%E2%98%83/') .expect('Content-Type', /html/) - .expect(301, />Redirecting to \/snow%20%E2%98%83\/<\/a>Redirecting to \/snow%20%E2%98%83\/ Date: Tue, 10 Sep 2024 03:32:10 +0200 Subject: [PATCH 11/11] 4.20.0 --- History.md | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/History.md b/History.md index 3fe5fc7a..887a38f1 100644 --- a/History.md +++ b/History.md @@ -1,4 +1,4 @@ -unreleased +4.20.0 / 2024-09-10 ========== * deps: serve-static@0.16.0 * Remove link renderization in html while redirecting diff --git a/package.json b/package.json index e9045763..bffa70a6 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "express", "description": "Fast, unopinionated, minimalist web framework", - "version": "4.19.2", + "version": "4.20.0", "author": "TJ Holowaychuk ", "contributors": [ "Aaron Heckmann ",