-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server crash on POST request #1683
Comments
Thanks, PR in #1684. I opted to fix the fallback format by omitting cursor
and tested that without issues.
…On Thu, Oct 25, 2018 at 12:18 AM MaxSchlueter ***@***.***> wrote:
On a high level, for requests made to certain endpoints as an
authenticated user, if the format parameter in the payload is not one of
two specific strings, the database cursor object will remain in the data
that is sent back in the response, causing JSON.stringify to throw an
error, as the database cursor object contains a circular reference.
Here are the steps to reproduce:
1.
Set up a barebones Apostrophe server (
https://apostrophecms.org/docs/tutorials/getting-started/creating-your-first-project.html
)
2.
Authenticate as a user. This doesn't necessarily need to be a user
with admin rights, it can also be a user that is only granted guest
rights (to add user to the guest group type: node app.js
apostrophe-users:add user1 guest)
3.
Issue a POST request to a [..]/list endpoint with format not equals to
"managePage" or "allIds", e.g. curl -d '{ "format": "HelloWorld",
"page": 1, "trash": false }' -H 'Content-Type: application/json' -H /*
AUTHENTICATION HEADERS HERE */
http://localhost:3000/modules/apostrophe-global/list
This request should have crashed the server. A simple fix would be to make
sure that the results variable is overwritten in the list function in
*lib/modules/apostrophe-pieces/lib/routes.js*:
if (req.body.format === 'managePage') {
...
} else if (req.body.format === 'allIds') {
...
}// add this else branchelse {
results = {};
}
Cheers,
Max
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1683>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/AAB9fW3DrzVfSH9wrsDdQpxYC428i6xpks5uoTt4gaJpZM4X5d04>
.
--
*Thomas Boutell, Chief Software Architect*
P'unk Avenue | (215) 755-1330 | punkave.com
|
Curious how you're using Apostrophe; please do drop a line at tom@punkave.com when you get a chance. Thanks! |
Fix published, thanks again! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On a high level, for requests made to certain endpoints as an authenticated user, if the
format
parameter in the payload is not one of two specific strings, the database cursor object will remain in the data that is sent back in the response, causingJSON.stringify
to throw an error, as the database cursor object contains a circular reference.Here are the steps to reproduce:
Set up a barebones Apostrophe server (https://apostrophecms.org/docs/tutorials/getting-started/creating-your-first-project.html)
Authenticate as a user. This doesn't necessarily need to be a user
with admin rights, it can also be a user that is only granted guest
rights (to add user to the guest group type:
node app.js apostrophe-users:add user1 guest
)Issue a POST request to a [..]/list endpoint with
format
not equals to"managePage"
or"allIds"
, e.g.curl -d '{ "format": "HelloWorld", "page": 1, "trash": false }' -H 'Content-Type: application/json' -H /* AUTHENTICATION HEADERS HERE */ http://localhost:3000/modules/apostrophe-global/list
This request should have crashed the server. A simple fix would be to make sure that the results variable is overwritten in the list function in lib/modules/apostrophe-pieces/lib/routes.js:
Cheers,
Max
The text was updated successfully, but these errors were encountered: