Merge pull request #1031 from restify/404-xss

fix potential xss vector
restify · Apr 29, 2016 · 0af5cca · 0af5cca
2 parents c100355 + a015067
commit 0af5cca
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/lib/router.js b/lib/router.js
@@ -605,7 +605,12 @@ Router.prototype.find = function find(req, res, callback) {
         }
     }
 
-    callback(new ResourceNotFoundError('%s does not exist', req.url));
+    // clean up the url in case of potential xss
+    // https://github.com/restify/node-restify/issues/1018
+    var cleanedUrl = url.parse(req.url).pathname;
+    callback(new ResourceNotFoundError(
+        '%s does not exist', cleanedUrl
+    ));
 };
 
 

diff --git a/test/router.test.js b/test/router.test.js
@@ -140,3 +140,32 @@ test('render route (query string)', function (t) {
 
     t.end();
 });
+
+
+test('clean up xss for 404', function (t) {
+    var server = restify.createServer();
+
+    server.listen(3000, function (listenErr) {
+        t.ifError(listenErr);
+
+        var client = restify.createStringClient({
+            url: 'http://127.0.0.1:3000/'
+        });
+
+        client.get({
+            path: '/no5_such3_file7.pl?%22%3E%3Cscript%3Ealert(73541);%3C/' +
+                   'script%3E',
+            headers: {
+                connection: 'close'
+            }
+        }, function (clientErr, req, res, data) {
+            t.ok(clientErr);
+            t.ok(data.indexOf('%22%3E%3Cscript%3Ealert(73541)') === -1,
+                 'should not reflect raw url');
+
+            server.close(function () {
+                t.end();
+            });
+        });
+    });
+});