kit icon indicating copy to clipboard operation
kit copied to clipboard

Published 20 hours ago verified publisher icon sveltejs

Parsing errors and dev errors - info in documentation

Open lukaszpolowczyk opened this issue 3 years ago • 7 comments

Describe the problem

Should there be information about parsing errors and dev stage errors in the Errors - https://kit.svelte.dev/docs/errors documentation?

E.g. HMR window contains internal server data, but it is not a security risk for internal server data.

Or as there are parsing errors in hooks, internal errors are displayed on the page, containing absolute paths from the server.

This data only displays at the dev stage, so it is safe. But after reading https://kit.svelte.dev/docs/errors, you might think that this data should not display and that it is a security threat to the server's internal data.

I think it is worth adding information to the documentation, about the errors that display on the site only in dev mode and that they are safe.

If I don't understand something, please explain.

Describe the proposed solution

As above.

Alternatives considered

No response

Importance

nice to have

Additional Information

No response

lukaszpolowczyk avatar Dec 02 '22 09:12 lukaszpolowczyk

I'm not totally sure I understand what you mean by "dev time only". In general, if an error is thrown, you should not just print out the stack as that would be security risk. You could implement something yourself in the handleError hooks like "in development, also show the stack" - is that what you mean by adding?

dummdidumm avatar Dec 12 '22 16:12 dummdidumm

I'm not totally sure I understand what you mean by "dev time only".

@dummdidumm It is about an unexpected error that is not picked up by handleError, nor will src/error.html be displayed, such as the code:

// src/hooks.server.js

/** @type {import('@sveltejs/kit').HandleServerError} */
export function handleError({ error, event }) {
  throw "zz";
}
/** @type {import('@sveltejs/kit').Handle} */
export async function handle({ event, resolve }) {
  throw "oo";
  const response = await resolve(event);
  return response;
}

will return a white content page in the browser:

ReferenceError: ddf is not defined
    at //home/projects/sveltejs-kit-template-default-kqwysb/src/hooks.server:2:1
    at instantiateModule (file://file:///home/projects/sveltejs-kit-template-default-kqwysb/node_modules/vite/dist/node/chunks/dep-ed9cb113.js:53295:15)

obraz

Stackblitz version: https://stackblitz.com/edit/sveltejs-kit-template-default-kqwysb?file=src%2Fhooks.server.js&terminal=dev

The same when to make simple:

// src/hooks.server.js
ddf;

it also returns a white page with errors: obraz

These errors (it seems to me), will not go beyond dev, because SvelteKit displays errors in the console when use npm run build and the build fails, so they are safe.

But maybe I'm wrong, and this too should be handled somehow? Maybe it is a leak that I detected?

And besides, in HMR it displays a vite-error-overlay layer with a window that displays when e.g. you have a syntax typo in a svelte file, and this window contains various information from the server e.g. full file paths, but here it is 100% supposed to be like that, and this data is not at risk, because it is only in dev. So this might also be worth mentioning on https://kit.svelte.dev/docs/errors? obraz

lukaszpolowczyk avatar Dec 12 '22 18:12 lukaszpolowczyk

If errors are thrown right when loading the hooks file because you reference something undefined, or you throw another error in your handleError, then there's nothing that SvelteKit can do - it's impossible to catch everything, as not all these things are under control of SvelteKit (we probably could look into try-catching handleError, but srsly if that also fails you have a real problem)

dummdidumm avatar Dec 14 '22 14:12 dummdidumm

@dummdidumm That is, only need to give info in documentation that all Unexpected errors will not catch. As I thought.

It would be enough to display Internal error on the page, in case everything fails. That's how it seems to me. But if you can't even do that, just info in the documentation might be enough.

lukaszpolowczyk avatar Dec 14 '22 14:12 lukaszpolowczyk

Screenshot from 2022-12-14 16-22-11 it is in the docs though.

autoklasa avatar Dec 14 '22 15:12 autoklasa

@autoklasa Aha, it's at https://kit.svelte.dev/docs/hooks#shared-hooks-handleerror Because I thought it should be on https://kit.svelte.dev/docs/errors#unexpected-errors. Maybe it's all the same, but in https://kit.svelte.dev/docs/hooks#shared-hooks-handleerror I didn't get it.

But also any error at all in the hooks file does this problem (see example with ddf;), so the description could be broader.

And still some info about HMR window errors could be added in the documentation. I think so.

lukaszpolowczyk avatar Dec 14 '22 15:12 lukaszpolowczyk

@lukaszpolowczyk good points, afaik we are promised epic docs and examples after 1.0 release :)

autoklasa avatar Dec 14 '22 16:12 autoklasa