a request with the following path: //%5Cfoo.bar:80@example.com
Then:
in normalizePath.js the call to url.parse(...).pathname returns null
and depending on whether normalizePath is an array or not, the following code crashes either
in UrlValueParser:
TypeError: Cannot read properties of null (reading 'split')
at UrlValueParser.getPathChunks (/.../node_modules/url-value-parser/src/UrlValueParser.js:13:8)
or already in normalizePath.js:
TypeError: Cannot read properties of null (reading 'replace')
at module.exports [as normalizePath] (/.../node_modules/express-prom-bundle/src/normalizePath.js:23:19)
This makes it trivial to crash an Express instance that uses express-prom-bundle with includePath with a specifically crafted request.
Workaround for library users: set normalizePath to a custom function until this bug is fixed.
Easy fix: check if path is null before operating on it in normalizePath.js.
Proper fix: switch to the WHATWG URL API as url.parse has been deprecated for a while. This may be a breaking change in some edge cases. Or better yet, just use req.path which Express conveniently makes available.
Given:
express-prom-bundle
includePath
set totrue
in the options//%5Cfoo.bar:80@example.com
Then:
normalizePath.js
the call tourl.parse(...).pathname
returnsnull
normalizePath
is an array or not, the following code crashes eitherUrlValueParser
:normalizePath.js
:This makes it trivial to crash an Express instance that uses
express-prom-bundle
withincludePath
with a specifically crafted request.Workaround for library users: set
normalizePath
to a custom function until this bug is fixed.Easy fix: check if
path
isnull
before operating on it innormalizePath.js
.Proper fix: switch to the WHATWG URL API as
url.parse
has been deprecated for a while. This may be a breaking change in some edge cases. Or better yet, just usereq.path
which Express conveniently makes available.