first attempt to upgrade express to v5 #1429
Conversation
Co-Authored-By: Andrew Calcutt <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| return res.send(concatenated); | ||
| } catch (err) { | ||
| console.error('Error serving font:', err); | ||
| return res.status(400).header('Content-Type', 'text/plain').send(err); |
Check warning
Code scanning / CodeQL
Information exposure through a stack trace Medium
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
src/serve_style.js
Outdated
| */ | ||
| function allowedSpriteScales(scale) { | ||
| if (!scale) return ''; | ||
| const match = scale.match(/(\d+)x/); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
| y = ll[1]; | ||
| } | ||
| const staticTypeMatch = staticType.match(staticTypeRegex); | ||
| console.log(staticTypeMatch); |
Check warning
Code scanning / CodeQL
Log injection Medium
| const spriteScale = allowedSpriteScales(scale); | ||
| const filename = `${sprite.path}${spriteScale}.${format}`; | ||
|
|
||
| fs.readFile(filename, (err, data) => { |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
|
|
||
| fs.readFile(filename, (err, data) => { | ||
| if (err) { | ||
| console.error('Sprite load error: %s, Error: %s', filename, err); |
Check warning
Code scanning / CodeQL
Log injection Medium
| if (!allowedFonts || (allowedFonts[name] && fallbacks)) { | ||
| if (!name || typeof name !== 'string' || name.trim() === '') { | ||
| console.error('ERROR: Invalid font name: %s', name); |
Check warning
Code scanning / CodeQL
Log injection Medium
| return reject('Invalid font name'); | ||
| } | ||
| if (!/^\d+-\d+$/.test(range)) { | ||
| console.error('ERROR: Invalid range: %s', range); |
Check warning
Code scanning / CodeQL
Log injection Medium
| fs.readFile(filename, (err, data) => { | ||
| if (err) { | ||
| console.error(`ERROR: Font not found: ${name}`); | ||
| console.error('ERROR: Font not found: %s, Error: %s', filename, err); |
Check warning
Code scanning / CodeQL
Log injection Medium
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
| app.get(`/:id/sprite{/:spriteID}{@:scale}{.:format}`, (req, res, next) => { | ||
| const { spriteID = 'default', id, format } = req.params; | ||
| const spriteScale = allowedSpriteScales(req.params.scale); | ||
|
|
||
| const item = repo[id]; | ||
| if (!item || !allowedSpriteFormats(format)) { | ||
| return res.sendStatus(404); | ||
| } | ||
|
|
||
| const sprite = item.spritePaths.find((sprite) => sprite.id === spriteID); | ||
| if (!sprite) { | ||
| return res.status(400).send('Bad Sprite ID or Scale'); | ||
| } | ||
|
|
||
| const filename = `${sprite.path}${spriteScale}.${format}`; | ||
|
|
||
| // eslint-disable-next-line security/detect-non-literal-fs-filename | ||
| fs.readFile(filename, (err, data) => { | ||
| if (err) { | ||
| console.error('Sprite load error: %s, Error: %s', filename, err); | ||
| return res.sendStatus(404); | ||
| } | ||
| }, | ||
| ); | ||
|
|
||
| if (format === 'json') { | ||
| res.header('Content-type', 'application/json'); | ||
| } else if (format === 'png') { | ||
| res.header('Content-type', 'image/png'); | ||
| } | ||
| return res.send(data); | ||
| }); | ||
| }); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
Co-Authored-By: Andrew Calcutt <[email protected]>
Co-Authored-By: Andrew Calcutt <[email protected]>
| if (format === 'pbf') { | ||
| if (isGzipped) { | ||
| response.data = await gunzipP(response.data); | ||
| isGzipped = false; |
Check warning
Code scanning / CodeQL
Useless assignment to local variable Warning
Co-Authored-By: Andrew Calcutt <[email protected]>
Today I was researching how we could fix #1412 and get express upgraded.
The main issue is in newer versions of express the syntax for optional parameters and paths has changed due to their upgrade of https://github.com/pillarjs/path-to-regexp which no longer allows options items by surrounding them with ( and )? . It also doesn't seem to support checking the values/value types by putting the type inside ( and )
https://github.com/pillarjs/path-to-regexp?tab=readme-ov-file#errors
Unfortunately we used a lot of these features to direct how tileserver replied to requests.... Things like optional paths for rile size or raw co-ordinates. or validating the data types before picking up the request.
I went through and I tried to remove all parenthesis that it did now like, but this caused a bit of trouble because now some of our paths are a bit to similar. to support the paths we have a had to do a few ugly workarounds to get around misrouting. They do allow {/:variable} for optional paths, so I was somewhat rework some things to use that.
This still needs a lot of work and if anyone has any suggestions (or would like open a new PR based on it and finish it) I can use all the help I can get with this.