Server crash on POST request

[MaxSchlueter]

On a high level, for requests made to certain endpoints as an authenticated user, if the format parameter in the payload is not one of two specific strings, the database cursor object will remain in the data that is sent back in the response, causing JSON.stringify to throw an error, as the database cursor object contains a circular reference.

Here are the steps to reproduce:

1. Set up a barebones Apostrophe server (https://apostrophecms.org/docs/tutorials/getting-started/creating-your-first-project.html)

2. Authenticate as a user. This doesn't necessarily need to be a user
   with admin rights, it can also be a user that is only granted guest
   rights (to add user to the guest group type: node app.js apostrophe-users:add user1 guest)

3. Issue a POST request to a [..]/list endpoint with format not equals to "managePage" or "allIds", e.g. curl -d '{ "format": "HelloWorld", "page": 1, "trash": false }' -H 'Content-Type: application/json' -H /* AUTHENTICATION HEADERS HERE */ http://localhost:3000/modules/apostrophe-global/list

This request should have crashed the server. A simple fix would be to make sure that the results variable is overwritten in the list function in lib/modules/apostrophe-pieces/lib/routes.js:

if (req.body.format === 'managePage') {
     ...
} else if (req.body.format === 'allIds') {
     ...
}
// add this else branch
else {
     results = {};
}

Cheers,

Max

[boutell]

Thanks, PR in #1684. I opted to fix the fallback format by omitting cursor and tested that without issues.

…

On Thu, Oct 25, 2018 at 12:18 AM MaxSchlueter ***@***.***> wrote: On a high level, for requests made to certain endpoints as an authenticated user, if the format parameter in the payload is not one of two specific strings, the database cursor object will remain in the data that is sent back in the response, causing JSON.stringify to throw an error, as the database cursor object contains a circular reference. Here are the steps to reproduce: 1. Set up a barebones Apostrophe server ( https://apostrophecms.org/docs/tutorials/getting-started/creating-your-first-project.html ) 2. Authenticate as a user. This doesn't necessarily need to be a user with admin rights, it can also be a user that is only granted guest rights (to add user to the guest group type: node app.js apostrophe-users:add user1 guest) 3. Issue a POST request to a [..]/list endpoint with format not equals to "managePage" or "allIds", e.g. curl -d '{ "format": "HelloWorld", "page": 1, "trash": false }' -H 'Content-Type: application/json' -H /* AUTHENTICATION HEADERS HERE */ http://localhost:3000/modules/apostrophe-global/list This request should have crashed the server. A simple fix would be to make sure that the results variable is overwritten in the list function in *lib/modules/apostrophe-pieces/lib/routes.js*: if (req.body.format === 'managePage') { ... } else if (req.body.format === 'allIds') { ... }// add this else branchelse { results = {}; } Cheers, Max — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1683>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAB9fW3DrzVfSH9wrsDdQpxYC428i6xpks5uoTt4gaJpZM4X5d04> .

-- *Thomas Boutell, Chief Software Architect* P'unk Avenue | (215) 755-1330 | punkave.com

[boutell]

Curious how you're using Apostrophe; please do drop a line at tom@punkave.com when you get a chance. Thanks!

[boutell]

Fix published, thanks again!