busboy
busboy copied to clipboard
mscdex
Interested in a patch to throw error as a unique class?
We have some sites that are getting hammered with exploit code looking for a Tiny MCE exploit. The exploit keeps trying to send a POST request to routes that don't exist.
We use connect-busboy and busboy and load the connect-busboy middleware early, fairly globally. It's trying to parse these malformed POST requests and crashing with an 500 error that originates in busboy:
Multipart: Boundary not found
This case is not really a server error-- the appropriate response code should be "400: Bad Request" (or 404, since the URL doesn't exist).
My suggestion is that busboy throw an error throw an error of a custom class, much like the common-errors enables.
The busboy code might look like this:
throw new ValidationError('Multipart: Boundary not found')
Then in our Express error handling middleware, we can check if error thrown is of type 'ValidationError'. If so, we will return a 400 response instead of crashing with a 500 response.
The change would be backwards compatible, since the ValidationError class would be a sub-class of the Error class.
Would a patch for this approach be accepted? If so, would you rather add common-errors as a dependency or just create a single custom error class for this purpose?
@zxlin When I get a positive response from a project contributor, I'll consider writing a PR for this, otherwise someone else can implement the idea sooner.
I would rather just add an extra property to the error object instead, like node core does.
@markstos they'd go into the code property. See https://nodejs.org/dist/latest-v10.x/docs/api/errors.html#errors_node_js_error_codes for how node core does it.
@mscdex may I suggest the prefix ERR_BUSBOY for all busboy errors?
So we could have:
ERR_BUSBOY_BOUNDARY_NOT_FOUND
ERR_BUSBOY_MISSING_CONTENT_TYPE
ERR_BUSBOY_UNSUPPORTED_CONTENT_TYPE
...etc
Thoughts?