a request with the following path: //%5Cfoo.bar:80@example.com
Then:
in normalizePath.js the call to url.parse(...).pathname returns null
and depending on whether normalizePath is an array or not, the following code crashes either
in UrlValueParser:
TypeError: Cannot read properties of null (reading 'split')
at UrlValueParser.getPathChunks (/.../node_modules/url-value-parser/src/UrlValueParser.js:13:8)
or already in normalizePath.js:
TypeError: Cannot read properties of null (reading 'replace')
at module.exports [as normalizePath] (/.../node_modules/express-prom-bundle/src/normalizePath.js:23:19)
This makes it trivial to crash an Express instance that uses express-prom-bundle with includePath with a specifically crafted request.
Workaround for library users: set normalizePath to a custom function until this bug is fixed.
Easy fix: check if path is null before operating on it in normalizePath.js.
Proper fix: switch to the WHATWG URL API as url.parse has been deprecated for a while. This may be a breaking change in some edge cases. Or better yet, just use req.path which Express conveniently makes available.
Given:
express-prom-bundleincludePathset totruein the options//%5Cfoo.bar:80@example.comThen:
normalizePath.jsthe call tourl.parse(...).pathnamereturnsnullnormalizePathis an array or not, the following code crashes eitherUrlValueParser:normalizePath.js:This makes it trivial to crash an Express instance that uses
express-prom-bundlewithincludePathwith a specifically crafted request.Workaround for library users: set
normalizePathto a custom function until this bug is fixed.Easy fix: check if
pathisnullbefore operating on it innormalizePath.js.Proper fix: switch to the WHATWG URL API as
url.parsehas been deprecated for a while. This may be a breaking change in some edge cases. Or better yet, just usereq.pathwhich Express conveniently makes available.