jfromaniello / express-unless

Conditionally add a middleware to express with some common patterns
MIT License
178 stars 27 forks source link

Unintentionally Bypassing Middleware with Case-Sensitive Negative Regex #16

Open dbohannon opened 8 years ago

dbohannon commented 8 years ago

In the snippet below, the basicAuth middleware will be applied to all routes beginning with /secure/.

var unless = require('express-unless');
...
app.use(basicAuth.unless({path: /^(?!\/secure\/).*/})); 

However, Express uses case-insensitive routing by default. This means that if we use the above regex and have a route /secure/endpoint, we can bypass the basicAuth middleware by requesting the route /SECURE/endpoint.

The documentation for the path option should be updated to bring this to the developers attention. The developer should always use the case-insensitive 'i' flag when using a negative regular expression (i.e., {path: /^(?!\/secure\/).*/i} or set the Express case sensitive routing option to true.

An alternate solution is to update the default behavior of the express-unless path option to include the 'i' option by default when using regular expressions. This would make the default express-unless behavior align with the default Express routing behavior; however, this would be a breaking change.