Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Route regex mismatch and server gives 500 #12469

Closed
1 task done
patheticGeek opened this issue Nov 18, 2024 · 4 comments
Closed
1 task done

Route regex mismatch and server gives 500 #12469

patheticGeek opened this issue Nov 18, 2024 · 4 comments
Labels
needs triage Issue needs to be triaged

Comments

@patheticGeek
Copy link

Astro Info

Astro                    v4.16.13
Node                     v18.20.4
System                   Linux (x64)
Package Manager          npm
Output                   server
Adapter                  @astrojs/node
Integrations             @astrojs/svelte

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

Open the reproduction and go to the following path
/products/(select(0)from(select(sleep(15)))v)%2f*'+(select(0)from(select(sleep(15)))v)+'%22+(select(0)from(select(sleep(15)))v)+%22*%2f-9BM4ESb_xARsStc7tdySTQLssA

The server will give 500 with following error:

15:52:26 [ERROR] Missing parameter: id
  Stack trace:
    at /home/withastro/astro/node_modules/astro/dist/core/routing/manifest/generator.js:30:13
    [...] See full stack trace in the browser, or rerun with --verbose.

The reason I found is because in the getParams fn

astro/packages/astro/src/core/render/params-and-props.ts

Lines 69 to 74 in 25baa4e

export function getParams(route: RouteData, pathname: string): Params {
if (!route.params.length) return {};
// The RegExp pattern expects a decoded string, but the pathname is encoded
// when the URL contains non-English characters.
const paramsMatch = route.pattern.exec(decodeURIComponent(pathname));
if (!paramsMatch) return {};

Here decodeURIComponent is used, which should be used to decode URI Components like search params/hash and it incorrectly decodes the above path as -
/products/(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/-9BM4ESb_xARsStc7tdySTQLssA

If you notice here there appears a new / and now this has url 3 levels whereas original route that was matched has 2.

Whereas if we use the decodeURI which is to decode the URI itself, then it is correctly decoded as -
/products/(select(0)from(select(sleep(15)))v)%2f*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*%2f-9BM4ESb_xARsStc7tdySTQLssA

and this also matches the route regex.

What's the expected result?

Astro should ideally register the above as a valid path and pass down the page.

Link to Minimal Reproducible Example

https://codesandbox.io/p/devbox/wonderful-moon-fywty4

Participation

  • I am willing to submit a pull request for this issue.
@github-actions github-actions bot added the needs triage Issue needs to be triaged label Nov 18, 2024
@ematipico
Copy link
Member

This has been changed in Astro v5. We recommend looking at the breaking changes and adapting the application accordingly.

https://5-0-0-beta--astro-docs-2.netlify.app/en/guides/upgrade-to/v5/#changed-params-no-longer-decoded

@patheticGeek
Copy link
Author

Is there any workaround for now? as this is causing issues in production for us

@ematipico
Copy link
Member

Unfortunately, there isn't, and we can't ship this change in v4 because it's a breaking change for users.

@ematipico
Copy link
Member

Duplicate of #8516

@ematipico ematipico marked this as a duplicate of #8516 Nov 18, 2024
@ematipico ematipico closed this as not planned Won't fix, can't repro, duplicate, stale Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage Issue needs to be triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ematipico @patheticGeek