Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: better handler malformed paths #7612

Merged
merged 3 commits into from
Jan 1, 2025

Conversation

Cherry
Copy link
Contributor

@Cherry Cherry commented Dec 22, 2024

Fixes #7611

This more gracefully handles malformed URLs and simply throws a 404 on them instead of the entire Worker throwing an exception.


  • Tests
    • TODO (before merge)
    • Tests included
    • Tests not necessary because:
  • E2E Tests CI Job required? (Use "e2e" label or ask maintainer to run separately)
    • I don't know
    • Required
    • Not required because: no e2e tests for this
  • Public documentation
    • TODO (before merge)
    • Cloudflare docs PR(s):
    • Documentation not necessary because: no user-facing changes

@Cherry Cherry requested review from a team as code owners December 22, 2024 15:30
Copy link

changeset-bot bot commented Dec 22, 2024

🦋 Changeset detected

Latest commit: 672c33b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@cloudflare/workers-shared Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@Cherry Cherry force-pushed the fix/assets-path-decode branch from 277b462 to 48fdec6 Compare December 22, 2024 17:04
Copy link
Contributor

github-actions bot commented Dec 22, 2024

A wrangler prerelease is available for testing. You can install this latest build in your project with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-wrangler-7612

You can reference the automatically updated head of this PR with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/7612/npm-package-wrangler-7612

Or you can use npx with this latest build directly:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-wrangler-7612 dev path/to/script.js
Additional artifacts:
wget https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workers-bindings-extension-7612 -O ./cloudflare-workers-bindings-extension.0.0.0-v7d18629c4.vsix && code --install-extension ./cloudflare-workers-bindings-extension.0.0.0-v7d18629c4.vsix
npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-create-cloudflare-7612 --no-auto-update
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-kv-asset-handler-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-miniflare-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-pages-shared-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-unenv-preset-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-vitest-pool-workers-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workers-editor-shared-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workers-shared-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workflows-shared-7612

Note that these links will no longer work once the GitHub Actions artifact expires.


[email protected] includes the following runtime dependencies:

Package Constraint Resolved
miniflare workspace:* 3.20241218.0
workerd 1.20241218.0 1.20241218.0
workerd --version 1.20241218.0 2024-12-18

Please ensure constraints are pinned, and miniflare/workerd minor versions match.

Copy link
Contributor

@petebacondarwin petebacondarwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure how this can happen in practice - i.e. whether it is possible to access a real asset via a malformed URL segment.

But I feel like we should just be passing through these invalid segments rather than 404ing.
So instead of this fix we just change decodePath() so that it is resilient there: catching the error for each segment and just returning the original string instead of the decoded one.

If there is no such asset, then it would still 404 but at least we are not potentially hiding a real asset.

@Cherry
Copy link
Contributor Author

Cherry commented Dec 23, 2024

Good call, that makes sense, thanks Pete. I've updated the changes and tests to account for this more gracefully.

.map((x) => {
let encoded;
try {
encoded = encodeURIComponent(x);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can encodeURIComponent actually throw?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If given something like a lone surrogate, yes:

encodeURIComponent("\uD800")

How likely/possible this is to happen in a URL? Probably not, but I felt like it couldn't hurt to wrap both.

@Cherry Cherry force-pushed the fix/assets-path-decode branch from 91f2dca to 672c33b Compare December 27, 2024 23:04
@WalshyDev WalshyDev merged commit 2e78812 into cloudflare:main Jan 1, 2025
25 of 26 checks passed
@workers-devprod workers-devprod added the contribution [Holopin] Recognizes an open-source contribution, big or small label Jan 1, 2025
Copy link

holopin-bot bot commented Jan 1, 2025

Congratulations @Cherry, the maintainer of this repository has issued you a holobyte! Here it is: https://holopin.io/holobyte/cm5dcrmmj96750cmncd0hnuht

This badge can only be claimed by you, so make sure that your GitHub account is linked to your Holopin account. You can manage those preferences here: https://holopin.io/account.
Or if you're new to Holopin, you can simply sign up with GitHub, which will do the trick!

@workers-devprod workers-devprod mentioned this pull request Jan 1, 2025
penalosa pushed a commit that referenced this pull request Jan 10, 2025
* fix: better handler malformed paths

* chore: changeset

* fix: pass-through malformed paths better
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
contribution [Holopin] Recognizes an open-source contribution, big or small
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

URI malformed error with Workers Assets and malformed paths
5 participants