search

plone / volto

React-based frontend for the Plone Content Management System
https://demo.plone.org/
MIT License
427 stars 575 forks source link

Plone views are interpreted as content, causing blank pages and crashing the Volto server #5097

Open JeffersonBledsoe opened 8 months ago

JeffersonBledsoe commented 8 months ago

Describe the bug

Non-content plone views (such as accessibility-info) are interpreted by Volto as content and cause it to attempt to make REST API calls against these views. This leads to unexpected behaviour, such as exceptions being raised in the reducers (which will eventually crash the Volto server prior to https://github.com/plone/volto/commit/768c06d0d6888c1ecaf8cd4e7079114edb5d2292) and empty pages being displayed

To Reproduce Steps to reproduce the behavior:

  1. Visit https://demo.plone.org/accessibility-info
  2. Try this a few more times (WARNING: This will bring down demo.plone.org as it is currently on an older Volto version)

Expected behavior A 404 page is displayed every time

Actual behaviour Either a blank page is displayed if the server correctly responds, or the Volto express server crashes

stevepiercy commented 8 months ago

Should this also be reported to the @plone/security-team? https://plone.org/security/report

davisagli commented 8 months ago

@JeffersonBledsoe Volto doesn't know which paths will traverse to actual content on the backend and which will traverse to views. I think there are several problems interacting here:

  1. The ++api++ traverser doesn't prevent traversing to views. From my point of view this was either a bad design decision or a bug; either way I'm sure people are relying on it now so it is hard to change.

  2. If a view was found and it returns a 200 response, then volto tries to display it even if the response was not application/json as expected. I'd be happy to see a check for this get added to the api middleware and make it show a 404 if the wrong mimetype was returned instead of continuing to process reducers.

  3. If processing content reducers hits an error because the response wasn't json as expected, until recently this could cause the Express server to exit. This was already fixed in volto 17.0.0-alpha.24 and 16.22.1. Now an exception while processing content reducers will show a "Server Error" message in production mode and an exception traceback in dev mode.

demo.plone.org does need to be updated -> https://github.com/plone/demo.plone.org/pull/23

jensens commented 8 months ago

The ++api++ traverser doesn't prevent traversing to views. From my point of view this was either a bad design decision or a bug; either way I'm sure people are relying on it now so it is hard to change.

Well, the traverser mainly calls mark_as_api_request to trigger a JSON response. (plone.rest). It does not prevent from calling views behind or other stuff. Its not its purpose.

But for sure we can check if a response marked as API request is a JSON response. Consider images, files, etc., are returned as well in seamless mode AFAIK.

erral commented 8 months ago

@JeffersonBledsoe that's why we have the nonContentRoutes setting, right? AFAIK when visiting a route included there, Volto does not make the API call to the backend.