Skip to content

fix: better handler malformed paths#7612

Merged
WalshyDev merged 3 commits intocloudflare:mainfrom
Cherry:fix/assets-path-decode
Jan 1, 2025
Merged

fix: better handler malformed paths#7612
WalshyDev merged 3 commits intocloudflare:mainfrom
Cherry:fix/assets-path-decode

Conversation

@Cherry
Copy link
Contributor

@Cherry Cherry commented Dec 22, 2024
edited
Loading

Fixes #7611

This more gracefully handles malformed URLs and simply throws a 404 on them instead of the entire Worker throwing an exception.

  • Tests
    • TODO (before merge)
    • Tests included
    • Tests not necessary because:
  • E2E Tests CI Job required? (Use "e2e" label or ask maintainer to run separately)
    • I don't know
    • Required
    • Not required because: no e2e tests for this
  • Public documentation
    • TODO (before merge)
    • Cloudflare docs PR(s):
    • Documentation not necessary because: no user-facing changes

@Cherry Cherry requested review from a team as code owners December 22, 2024 15:30
@changeset-bot
Copy link

changeset-bot bot commented Dec 22, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 672c33b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@cloudflare/workers-shared Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@Cherry Cherry force-pushed the fix/assets-path-decode branch from 277b462 to 48fdec6 Compare December 22, 2024 17:04
@github-actions
Copy link
Contributor

github-actions bot commented Dec 22, 2024
edited
Loading

A wrangler prerelease is available for testing. You can install this latest build in your project with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-wrangler-7612

You can reference the automatically updated head of this PR with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/7612/npm-package-wrangler-7612

Or you can use npx with this latest build directly:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-wrangler-7612 dev path/to/script.js
Additional artifacts: 
wget https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workers-bindings-extension-7612 -O ./cloudflare-workers-bindings-extension.0.0.0-v7d18629c4.vsix && code --install-extension ./cloudflare-workers-bindings-extension.0.0.0-v7d18629c4.vsix
npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-create-cloudflare-7612 --no-auto-update
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-kv-asset-handler-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-miniflare-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-pages-shared-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-unenv-preset-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-vitest-pool-workers-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workers-editor-shared-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workers-shared-7612
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workflows-shared-7612

Note that these links will no longer work once the GitHub Actions artifact expires.

wrangler@3.99.0 includes the following runtime dependencies:

Package Constraint Resolved
miniflare workspace:* 3.20241218.0
workerd 1.20241218.0 1.20241218.0
workerd --version 1.20241218.0 2024-12-18

Please ensure constraints are pinned, and miniflare/workerd minor versions match.

petebacondarwin
petebacondarwin requested changes Dec 23, 2024
View reviewed changes
Copy link
Contributor

@petebacondarwin petebacondarwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure how this can happen in practice - i.e. whether it is possible to access a real asset via a malformed URL segment.

But I feel like we should just be passing through these invalid segments rather than 404ing.
So instead of this fix we just change decodePath() so that it is resilient there: catching the error for each segment and just returning the original string instead of the decoded one.

If there is no such asset, then it would still 404 but at least we are not potentially hiding a real asset.

@Cherry
Copy link
Contributor Author

Cherry commented Dec 23, 2024

Good call, that makes sense, thanks Pete. I've updated the changes and tests to account for this more gracefully.

petebacondarwin
petebacondarwin reviewed Dec 27, 2024
View reviewed changes
packages/workers-shared/asset-worker/src/handler.ts Outdated
.map((x) => {
let encoded;
try {
encoded = encodeURIComponent(x);
Copy link
Contributor

@petebacondarwin petebacondarwin Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can encodeURIComponent actually throw?

Copy link
Contributor Author

@Cherry Cherry Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If given something like a lone surrogate, yes:

encodeURIComponent("\uD800")

How likely/possible this is to happen in a URL? Probably not, but I felt like it couldn't hurt to wrap both.

@Cherry Cherry force-pushed the fix/assets-path-decode branch from 91f2dca to 672c33b Compare December 27, 2024 23:04
@WalshyDev WalshyDev merged commit 2e78812 into cloudflare:main Jan 1, 2025
25 of 26 checks passed
@workers-devprod workers-devprod added the contribution [Holopin] Recognizes an open-source contribution, big or small label Jan 1, 2025
@holopin-bot
Copy link

holopin-bot bot commented Jan 1, 2025

Congratulations @Cherry, the maintainer of this repository has issued you a holobyte! Here it is: https://holopin.io/holobyte/cm5dcrmmj96750cmncd0hnuht

This badge can only be claimed by you, so make sure that your GitHub account is linked to your Holopin account. You can manage those preferences here: https://holopin.io/account.
Or if you're new to Holopin, you can simply sign up with GitHub, which will do the trick!

@workers-devprod workers-devprod mentioned this pull request Jan 1, 2025
Merged
penalosa pushed a commit that referenced this pull request Jan 10, 2025
@Cherry @penalosa
fix: better handler malformed paths (#7612)
a11b668 
* fix: better handler malformed paths

* chore: changeset

* fix: pass-through malformed paths better
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@petebacondarwin petebacondarwin petebacondarwin approved these changes

@WillTaylorDev WillTaylorDev WillTaylorDev approved these changes

Assignees

No one assigned

Labels

contribution [Holopin] Recognizes an open-source contribution, big or small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

URI malformed error with Workers Assets and malformed paths

5 participants

@Cherry @petebacondarwin @WillTaylorDev @WalshyDev @workers-devprod