router
router copied to clipboard
aurelia
Possible to crash the router by including `__proto__` in a specific format
I'm submitting a bug report
- Library Version: 1.7.1
Please tell us about your environment:
-
Operating System: Affects Linux and Windows (probably all environments)
-
Node Version: v16.16.0, also affects v14.x
-
NPM Version: 8.11.0
-
JSPM OR Webpack AND Version Webpack 5.46.0
-
Browser: Chrome, Chrome headless, Aurelia SSR
-
Language: All
Current behavior:
When navigating to the following route:
/?__proto__.expect=100-continue&constructor.prototype.expect=100-continue&id.__proto__.expect=100-continue&id.constructor.prototype.expect=100-continue&id%5B__proto__%5D%5Bexpect%5D=100-continue
The application crashes with the following error:
INFO [aurelia] Aurelia Started
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] 10 navigation instructions have been attempted without success. Restoring last known good location.
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [undefined] Router Error TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
at eval (webpack://frontend/./node_modules/aurelia-templating-router/dist/native-modules/aurelia-templating-router.js?:302:28)
at new Promise (<anonymous>)
at TemplatingRouteLoader.resolveViewModel (webpack://frontend/./node_modules/aurelia-templating-router/dist/native-modules/aurelia-templating-router.js?:300:16)
at TemplatingRouteLoader.loadRoute (webpack://frontend/./node_modules/aurelia-templating-router/dist/native-modules/aurelia-templating-router.js?:346:14)
at eval (webpack://frontend/./node_modules/aurelia-router/dist/native-modules/aurelia-router.js?:1534:48)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async Promise.all (index 1)
ERROR [event-aggregator] TypeError: Cannot destructure property 'config' of 'router.currentInstruction' as it is null.
at eval (webpack://frontend/./src/providers/server-platform-provider.ts?:36:21)
at invokeCallback (webpack://frontend/./node_modules/aurelia-event-aggregator/dist/native-modules/aurelia-event-aggregator.js?:33:5)
at EventAggregator.publish (webpack://frontend/./node_modules/aurelia-event-aggregator/dist/native-modules/aurelia-event-aggregator.js?:70:11)
at resolveInstruction (webpack://frontend/./node_modules/aurelia-router/dist/native-modules/aurelia-router.js?:2271:25)
at eval (webpack://frontend/./node_modules/aurelia-router/dist/native-modules/aurelia-router.js?:2199:50)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
Error in Koa Error: read ECONNRESET
at TCP.onStreamRead (node:internal/stream_base_commons:217:20) {
errno: -4077,
code: 'ECONNRESET',
syscall: 'read',
headerSent: true
}
Expected/desired behavior: It should not crash. It should parse properly and take you to the page that is set to handle "/".
It seems the issue is reproducible with navigating to the following URL as well:
/?something[__proto__][else]=oops
I believe there's some magic going on with trying to set nested properties on __proto__, then trying to look for that property on something using the in keyword, which won't exist as it was set on the __proto__. I have a strong feeling that it's an issue with the aurelia-route-recognizer, but we have a suitable workaround for now.