Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requested and resolved page mismatch returns a 500 error instead of 404 #36555

Closed
1 task done
psoaresbj opened this issue Apr 28, 2022 · 1 comment · Fixed by #36580
Closed
1 task done

Requested and resolved page mismatch returns a 500 error instead of 404 #36555

psoaresbj opened this issue Apr 28, 2022 · 1 comment · Fixed by #36580
Labels
bug Issue was opened via the bug report template.

Comments

@psoaresbj
Copy link

psoaresbj commented Apr 28, 2022
edited
Loading

Verify canary release

  • I verified that the issue exists in Next.js canary release

Provide environment information

    Operating System:
      Platform: darwin
      Arch: x64
      Version: Darwin Kernel Version 20.6.0: Wed Jun 23 00:26:31 PDT 2021; root:xnu-7195.141.2~5/RELEASE_X86_64
    Binaries:
      Node: 16.13.1
      npm: 8.1.2
      Yarn: 1.22.17
      pnpm: N/A
    Relevant packages:
      next: 12.0.11-canary.1
      react: 17.0.2
      react-dom: 17.0.2

What browser are you using? (if relevant)

No response

How are you deploying your application? (if relevant)

No response

Describe the Bug

I run a project that's targeted with some different attacks. One is the directory traverse. Since I have a catch-all page in the root of the project, when I execute a GET request with this method from a client that don't replace the url path, the server triggers a 500 instead of a 404.

I've already mentioned this behaviour here: #33912 but it was closed with an explanation that makes perfect sense when using a browser, however If you do a request using Postman or a cURL with path-as-is option you get a 500 error.

After some digging, I've found what's causing that:
https://github.com/vercel/next.js/blob/canary/packages/next/server/normalize-page-path.ts#L20
The mentioned throw shouldn't return a 404 instead?

Error: Requested and resolved page mismatch: /test/../package-lock.json /package-lock.json
    at Object.normalizePagePath (/Users/me/next-test/node_modules/next/dist/server/normalize-page-path.js:35:15)
    at Object.getPagePath (/Users/me/next-test/node_modules/next/dist/server/require.js:24:84)
    at NextNodeServer.getPagePath (/Users/me/next-test/node_modules/next/dist/server/next-server.js:336:30)
    at NextNodeServer.hasPage (/Users/me/next-test/node_modules/next/dist/server/base-server.js:533:28)
    at memoizedPageChecker (/Users/me/next-test/node_modules/next/dist/server/router.js:76:33)
    at Object.fn (/Users/me/next-test/node_modules/next/dist/server/router.js:144:35)
    at Router.execute (/Users/me/next-test/node_modules/next/dist/server/router.js:228:48)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async NextNodeServer.run (/Users/me/next-test/node_modules/next/dist/server/base-server.js:598:29)
    at async NextNodeServer.handleRequest (/Users/me/next-test/node_modules/next/dist/server/base-server.js:305:20)
Error: Requested and resolved page mismatch: /test/../package-lock.json /package-lock.json
    at Object.normalizePagePath (/Users/me/next-test/node_modules/next/dist/server/normalize-page-path.js:35:15)
    at getPagePath (/Users/me/next-test/node_modules/next/dist/server/require.js:24:84)
    at Object.requirePage (/Users/me/next-test/node_modules/next/dist/server/require.js:44:22)
    at Object.loadComponents (/Users/me/next-test/node_modules/next/dist/server/load-components.js:58:23)
    at NextNodeServer.findPageComponents (/Users/me/next-test/node_modules/next/dist/server/next-server.js:354:63)
    at NextNodeServer.renderToResponse (/Users/me/next-test/node_modules/next/dist/server/base-server.js:1019:39)
    at pipe.req.req (/Users/me/next-test/node_modules/next/dist/server/base-server.js:680:38)
    at NextNodeServer.pipe (/Users/me/next-test/node_modules/next/dist/server/base-server.js:621:31)
    at NextNodeServer.render (/Users/me/next-test/node_modules/next/dist/server/base-server.js:680:21)
    at NextNodeServer.render (/Users/me/next-test/node_modules/next/dist/server/next-server.js:408:22)
Error: Requested and resolved page mismatch: /test/../package-lock.json /package-lock.json
    at Object.normalizePagePath (/Users/me/next-test/node_modules/next/dist/server/normalize-page-path.js:35:15)
    at IncrementalCache.get (/Users/me/next-test/node_modules/next/dist/server/incremental-cache.js:63:44)
    at /Users/me/next-test/node_modules/next/dist/server/response-cache.js:46:74
    at ResponseCache.get (/Users/me/next-test/node_modules/next/dist/server/response-cache.js:86:11)
    at NextNodeServer.renderToResponseWithComponents (/Users/me/next-test/node_modules/next/dist/server/base-server.js:886:53)
    at NextNodeServer.renderToResponse (/Users/me/next-test/node_modules/next/dist/server/base-server.js:1040:47)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async NextNodeServer.pipe (/Users/me/next-test/node_modules/next/dist/server/base-server.js:621:25)
    at async Object.fn (/Users/me/next-test/node_modules/next/dist/server/base-server.js:494:21)
    at async Router.execute (/Users/me/next-test/node_modules/next/dist/server/router.js:228:32)

Expected Behavior

Should return a 404 error code instead of a 500 error code.

To Reproduce

  1. Clone the project:
    https://github.com/psoaresbj/path-traversal/

  2. Install, build and run:

yarn && yarn build && yarn start
  1. Run curl with path-as-is option and you'll get the 500 err
curl -i --path-as-is 'http://localhost:3000/test/../abc'
@psoaresbj psoaresbj added the bug Issue was opened via the bug report template. label Apr 28, 2022
@psoaresbj psoaresbj changed the title Requested and resolved page mismatch returns a 500 error. If the page shouldn't exist should be a 404 error. 500 error instead of 404 Apr 28, 2022
@psoaresbj psoaresbj changed the title 500 error instead of 404 Requested and resolved page mismatch returns a 500 error instead of 404 Apr 28, 2022
@ijjk ijjk mentioned this issue Apr 29, 2022
Merged
3 tasks
@kodiakhq kodiakhq bot closed this as completed in #36580 May 1, 2022
kodiakhq bot pushed a commit that referenced this issue May 1, 2022
@ijjk @timneutkens
Update status code for normalize error (#36580)
bd3dfe1 
This updates to show a 400 (bad request) when an invalid path is sent to Next.js similar to our decode failure handling. 

## Bug

- [x] Related issues linked using `fixes #number`
- [x] Integration tests added
- [ ] Errors have helpful link attached, see `contributing.md`

Closes: #36555

Co-authored-by: Tim Neutkens <[email protected]>
@github-actions
Copy link
Contributor

This closed issue has been automatically locked because it had no new activity for a month. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Issue was opened via the bug report template.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update status code for normalize error ijjk/next.js
1 participant
@psoaresbj