From 8b73f2ee70d79342d37a066c7773430773d47cf4 Mon Sep 17 00:00:00 2001 From: webzwo0i Date: Mon, 5 Jul 2021 06:12:02 +0200 Subject: [PATCH] padurlsanitize: Don't crash if `sanitizePadId()` throws Let Express send a 500 status code to the user instead. Co-authored-by: Richard Hansen --- CHANGELOG.md | 1 + src/node/hooks/express/padurlsanitize.js | 35 +++++++++++++----------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14653a33c..488d0e947 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ from the database when the group is deleted. * Fixed race conditions in the `setText`, `appendText`, and `restoreRevision` functions (HTTP API). +* Fixed a crash if the database is busy enough to cause a query timeout. #### For plugin authors diff --git a/src/node/hooks/express/padurlsanitize.js b/src/node/hooks/express/padurlsanitize.js index b805fc4ba..ff1afa477 100644 --- a/src/node/hooks/express/padurlsanitize.js +++ b/src/node/hooks/express/padurlsanitize.js @@ -4,24 +4,27 @@ const padManager = require('../../db/PadManager'); exports.expressCreateServer = (hookName, args, cb) => { // redirects browser to the pad's sanitized url if needed. otherwise, renders the html - args.app.param('pad', async (req, res, next, padId) => { - // ensure the padname is valid and the url doesn't end with a / - if (!padManager.isValidPadId(padId) || /\/$/.test(req.url)) { - res.status(404).send('Such a padname is forbidden'); - return; - } + args.app.param('pad', (req, res, next, padId) => { + (async () => { + // ensure the padname is valid and the url doesn't end with a / + if (!padManager.isValidPadId(padId) || /\/$/.test(req.url)) { + res.status(404).send('Such a padname is forbidden'); + return; + } - const sanitizedPadId = await padManager.sanitizePadId(padId); + const sanitizedPadId = await padManager.sanitizePadId(padId); - if (sanitizedPadId === padId) { - // the pad id was fine, so just render it - next(); - } else { - // the pad id was sanitized, so we redirect to the sanitized version - const realURL = encodeURIComponent(sanitizedPadId) + new URL(req.url, 'http://invalid.invalid').search; - res.header('Location', realURL); - res.status(302).send(`You should be redirected to ${realURL}`); - } + if (sanitizedPadId === padId) { + // the pad id was fine, so just render it + next(); + } else { + // the pad id was sanitized, so we redirect to the sanitized version + const realURL = + encodeURIComponent(sanitizedPadId) + new URL(req.url, 'http://invalid.invalid').search; + res.header('Location', realURL); + res.status(302).send(`You should be redirected to ${realURL}`); + } + })().catch((err) => next(err || new Error(err))); }); return cb(); };