search

medusajs / medusa

The world's most flexible commerce platform.
https://medusajs.com
MIT License
26.24k stars 2.67k forks source link

[Bug]: Unexpected code 200 #10353

Closed Deroswent closed 4 days ago

Deroswent commented 4 days ago

Package.json file

{
  "name": "medusa-starter-default",
  "version": "0.0.1",
  "description": "A starter for Medusa projects.",
  "author": "Medusa (https://medusajs.com)",
  "license": "MIT",
  "keywords": [
    "sqlite",
    "postgres",
    "typescript",
    "ecommerce",
    "headless",
    "medusa"
  ],
  "scripts": {
    "build": "medusa build",
    "seed": "medusa exec ./src/scripts/seed.ts",
    "start": "medusa start",
    "dev": "medusa develop",
    "test:integration:http": "TEST_TYPE=integration:http NODE_OPTIONS=--experimental-vm-modules jest --silent=false --runInBand --forceExit",
    "test:integration:modules": "TEST_TYPE=integration:modules NODE_OPTIONS=--experimental-vm-modules jest --silent --runInBand --forceExit",
    "test:unit": "TEST_TYPE=unit NODE_OPTIONS=--experimental-vm-modules jest --silent --runInBand --forceExit"
  },
  "dependencies": {
    "@medusajs/admin-sdk": "latest",
    "@medusajs/cli": "latest",
    "@medusajs/framework": "latest",
    "@medusajs/medusa": "latest",
    "@mikro-orm/core": "5.9.7",
    "@mikro-orm/knex": "5.9.7",
    "@mikro-orm/migrations": "5.9.7",
    "@mikro-orm/postgresql": "5.9.7",
    "awilix": "^8.0.1",
    "pg": "^8.13.0"
  },
  "devDependencies": {
    "@medusajs/test-utils": "latest",
    "@mikro-orm/cli": "5.9.7",
    "@swc/core": "1.5.7",
    "@swc/jest": "^0.2.36",
    "@types/jest": "^29.5.13",
    "@types/node": "^20.0.0",
    "@types/react": "^18.3.2",
    "@types/react-dom": "^18.2.25",
    "jest": "^29.7.0",
    "prop-types": "^15.8.1",
    "react": "^18.2.0",
    "react-dom": "^18.2.0",
    "ts-node": "^10.9.2",
    "typescript": "^5.6.2",
    "vite": "^5.2.11"
  },
  "engines": {
    "node": ">=20"
  }
}

Node.js version

v20

Database and its version

PostgreSQL 16.4

Operating system name and version

WIndows 11

Browser name

No response

What happended?

I placed Medusa admin on the internet, it started to be scanned by bots for vulnerabilities and one result is unexpected. When you go to /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php you get a 200 response code. 2024-11-28_15-15

I thought maybe it's my server's influence (Medusa is behind nginx). I installed the latest version of medusa 2.0.7 locally, but even when openinghttp://localhost:9000/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php - I still get code 200, even though such file and directory doesn't exist, of course.

Local server log in dev mode confirms - Medusa gives code 200.

$ npm run dev
..................................................
√ Server is ready on http://localhost:9000 – 12ms
info:    Admin URL → http://localhost:9000/app
http:    GET /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php ← - (200) - 41.057 ms
http:    GET /app/entry.tsx ← http://localhost:9000/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (200) - 5.962 ms
http:    GET /app/index.css ← http://localhost:9000/app/entry.tsx (304) - 1882.697 ms

Expected behavior

Medusa should return a 404 code

Actual behavior

Medusa returns code 200 for a non-existent URL

Link to reproduction repo

https://github.com/medusajs/medusa

kasperkristensen commented 4 days ago

Hi @Deroswent,

I am not sure what is meant to be the bug here?

We serve the admin dashboard from the server on the /app path. Any request to <your_server>/app-that isn't an actual piece of the JS bundle-will return a 200 with the empty index.html file. That file is then hydrated on the client, and from there react-router-dom takes over making sure to route to the correct page. So if you actually went to the that URL you would see a 404 page.

Closing this as it works as expected