Open JeffersonBledsoe opened 8 months ago
Should this also be reported to the @plone/security-team? https://plone.org/security/report
@JeffersonBledsoe Volto doesn't know which paths will traverse to actual content on the backend and which will traverse to views. I think there are several problems interacting here:
The ++api++ traverser doesn't prevent traversing to views. From my point of view this was either a bad design decision or a bug; either way I'm sure people are relying on it now so it is hard to change.
If a view was found and it returns a 200 response, then volto tries to display it even if the response was not application/json
as expected. I'd be happy to see a check for this get added to the api middleware and make it show a 404 if the wrong mimetype was returned instead of continuing to process reducers.
If processing content reducers hits an error because the response wasn't json as expected, until recently this could cause the Express server to exit. This was already fixed in volto 17.0.0-alpha.24 and 16.22.1. Now an exception while processing content reducers will show a "Server Error" message in production mode and an exception traceback in dev mode.
demo.plone.org does need to be updated -> https://github.com/plone/demo.plone.org/pull/23
The ++api++ traverser doesn't prevent traversing to views. From my point of view this was either a bad design decision or a bug; either way I'm sure people are relying on it now so it is hard to change.
Well, the traverser mainly calls mark_as_api_request
to trigger a JSON response. (plone.rest). It does not prevent from calling views behind or other stuff. Its not its purpose.
But for sure we can check if a response marked as API request is a JSON response. Consider images, files, etc., are returned as well in seamless mode AFAIK.
@JeffersonBledsoe that's why we have the nonContentRoutes
setting, right? AFAIK when visiting a route included there, Volto does not make the API call to the backend.
Describe the bug
Non-content plone views (such as
accessibility-info
) are interpreted by Volto as content and cause it to attempt to make REST API calls against these views. This leads to unexpected behaviour, such as exceptions being raised in the reducers (which will eventually crash the Volto server prior to https://github.com/plone/volto/commit/768c06d0d6888c1ecaf8cd4e7079114edb5d2292) and empty pages being displayedTo Reproduce Steps to reproduce the behavior:
Expected behavior A 404 page is displayed every time
Actual behaviour Either a blank page is displayed if the server correctly responds, or the Volto express server crashes