Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible to crash the router by including __proto__ in a specific format #690

Open
massimocode opened this issue Dec 28, 2022 · 1 comment
Open

Possible to crash the router by including __proto__ in a specific format #690

massimocode opened this issue Dec 28, 2022 · 1 comment

Comments

@massimocode
Copy link

I'm submitting a bug report

  • Library Version:
    1.7.1

Please tell us about your environment:

  • Operating System:
    Affects Linux and Windows (probably all environments)

  • Node Version:
    v16.16.0, also affects v14.x

  • NPM Version:
    8.11.0

  • JSPM OR Webpack AND Version
    Webpack 5.46.0

  • Browser:
    Chrome, Chrome headless, Aurelia SSR

  • Language:
    All

Current behavior:
When navigating to the following route:
/?__proto__.expect=100-continue&constructor.prototype.expect=100-continue&id.__proto__.expect=100-continue&id.constructor.prototype.expect=100-continue&id%5B__proto__%5D%5Bexpect%5D=100-continue

The application crashes with the following error:

INFO [aurelia] Aurelia Started
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [app-router] 10 navigation instructions have been attempted without success. Restoring last known good location.
ERROR [app-router] TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
ERROR [undefined] Router Error TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue
    at eval (webpack://frontend/./node_modules/aurelia-templating-router/dist/native-modules/aurelia-templating-router.js?:302:28)
    at new Promise (<anonymous>)
    at TemplatingRouteLoader.resolveViewModel (webpack://frontend/./node_modules/aurelia-templating-router/dist/native-modules/aurelia-templating-router.js?:300:16)
    at TemplatingRouteLoader.loadRoute (webpack://frontend/./node_modules/aurelia-templating-router/dist/native-modules/aurelia-templating-router.js?:346:14)
    at eval (webpack://frontend/./node_modules/aurelia-router/dist/native-modules/aurelia-router.js?:1534:48)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Promise.all (index 1)
ERROR [event-aggregator] TypeError: Cannot destructure property 'config' of 'router.currentInstruction' as it is null.
    at eval (webpack://frontend/./src/providers/server-platform-provider.ts?:36:21)
    at invokeCallback (webpack://frontend/./node_modules/aurelia-event-aggregator/dist/native-modules/aurelia-event-aggregator.js?:33:5)
    at EventAggregator.publish (webpack://frontend/./node_modules/aurelia-event-aggregator/dist/native-modules/aurelia-event-aggregator.js?:70:11)
    at resolveInstruction (webpack://frontend/./node_modules/aurelia-router/dist/native-modules/aurelia-router.js?:2271:25)
    at eval (webpack://frontend/./node_modules/aurelia-router/dist/native-modules/aurelia-router.js?:2199:50)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
Error in Koa Error: read ECONNRESET
    at TCP.onStreamRead (node:internal/stream_base_commons:217:20) {
  errno: -4077,
  code: 'ECONNRESET',
  syscall: 'read',
  headerSent: true
}

Expected/desired behavior:
It should not crash. It should parse properly and take you to the page that is set to handle "/".
@massimocode
Copy link
Author

massimocode commented Dec 28, 2022
edited
Loading

It seems the issue is reproducible with navigating to the following URL as well:
/?something[__proto__][else]=oops

I believe there's some magic going on with trying to set nested properties on __proto__, then trying to look for that property on something using the in keyword, which won't exist as it was set on the __proto__. I have a strong feeling that it's an issue with the aurelia-route-recognizer, but we have a suitable workaround for now.

@massimocode massimocode changed the title TypeError: Cannot use 'in' operator to search for 'moduleId' in 100-continue Possible to crash the router by including __proto__ in a specific format Dec 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@massimocode