Cross-site-scripting error

[CycoPH]

I tested my restify server with this:
https://localhost:3000/no5_such3_file7.pl?%22%3E%3Cscript%3Ealert(73541);%3C/script%3E

The returned data contains "<script>alert(73541);</script>" which some browsers will execute.

Simple solution is to change the ResourceNotFoundError at the end of the Router.prototype.find to something like this:

callback(new ResourceNotFoundError('%s does not exist', url.parse(req.url).pathname));

[smcpeak]

Are you sure this is fully fixed? In restify 8.4.0 (latest), if I modify lib/router.js to revert the fix in commit a015067 (by passing req.url instead of pathname to ResourceNotFoundError), then supply the proof of concept URL above, I get back:

{"code":"ResourceNotFound","message":"/notfound?a=b&c=d%22%3E%3Cscript%3Ealert(73541);%3C/script%3E does not exist"}

Ostensibly, "some browsers will execute" this, although mine (FF 68.0.1) does not.

With the fix applied, the same URL produces:

{"code":"ResourceNotFound","message":"/notfound does not exist"}

But also with the fix, if I merely replace "?" with "/" in the POC URL, I get back:

{"code":"ResourceNotFound","message":"/notfound/a=b&c=d%22%3E%3Cscript%3Ealert(73541);%3C/script%3E does not exist"}

To me, this looks functionally identical to the original, supposedly dangerous response. Could it really be the case that the "some browsers" that will execute the JS in original response will not execute the code in that last response?

Or, said another way: the original fix seems to presume that the "pathname" portion of the URL is safer than the "query" portion, but I don't think that is true. I suspect that either there never was a real bug to begin with, or the purported fix is inadequate.