From a015067232ad62aa035675dc63a46dce31fed3f3 Mon Sep 17 00:00:00 2001
From: Alex Liu <donutespresso@gmail.com>
Date: Wed, 16 Mar 2016 13:26:50 -0700
Subject: [PATCH] fix potential xss vector

---
 lib/router.js       |  7 ++++++-
 test/router.test.js | 29 +++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/lib/router.js b/lib/router.js
index edd6b76f9..06227a9a7 100644
--- a/lib/router.js
+++ b/lib/router.js
@@ -605,7 +605,12 @@ Router.prototype.find = function find(req, res, callback) {
         }
     }
 
-    callback(new ResourceNotFoundError('%s does not exist', req.url));
+    // clean up the url in case of potential xss
+    // https://github.com/restify/node-restify/issues/1018
+    var cleanedUrl = url.parse(req.url).pathname;
+    callback(new ResourceNotFoundError(
+        '%s does not exist', cleanedUrl
+    ));
 };
 
 
diff --git a/test/router.test.js b/test/router.test.js
index 89203ac6b..60c592560 100644
--- a/test/router.test.js
+++ b/test/router.test.js
@@ -140,3 +140,32 @@ test('render route (query string)', function (t) {
 
     t.end();
 });
+
+
+test('clean up xss for 404', function (t) {
+    var server = restify.createServer();
+
+    server.listen(3000, function (listenErr) {
+        t.ifError(listenErr);
+
+        var client = restify.createStringClient({
+            url: 'http://127.0.0.1:3000/'
+        });
+
+        client.get({
+            path: '/no5_such3_file7.pl?%22%3E%3Cscript%3Ealert(73541);%3C/' +
+                   'script%3E',
+            headers: {
+                connection: 'close'
+            }
+        }, function (clientErr, req, res, data) {
+            t.ok(clientErr);
+            t.ok(data.indexOf('%22%3E%3Cscript%3Ealert(73541)') === -1,
+                 'should not reflect raw url');
+
+            server.close(function () {
+                t.end();
+            });
+        });
+    });
+});