-
-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Errors in route handlers are not caught #164
Comments
What version of Polka are you using? |
Closing as a duplicate of #12 This is already fixed in |
I just tried polka@next. The issue seems to be solved for synchronous handlers, but not async ones import polka from 'polka';
polka()
.get('/*', async () => { throw new Error("i am an error") })
.listen(3000); still crashes the entire web server. This is a serious security vulnerability. Would you consider fixing the issue fully and backporting it to previous versions ? For instance, all sveltekit servers are currently vulnerable to remote denial of service because of this issue. |
Users not catching their own handler errors is not a security issue. That would mean all runtime errors in all of JS must be classified as security vulnerabilities. I will investigate and fix it in next once I'm back at my desk. But no, it will not be backported. Thanks for the issue and follow up. |
PS the workaround is still valid, just needs to be async const old = app.handler;
app.handler = async function (req, res, info) {
try {
await old.apply(app, arguments);
} catch (err) {
console.log('> I caught error:', err);
res.end('Oops~');
}
} |
I understand what you mean, and you may indeed want to consider that the vulnerability is in the user's code if they do not wrap every single handler in a try...catch, but then you would need to make that very explicit in the documentation, and update the usage examples. This is not the standard security approach taken by other frameworks, and in this case, starting the documentation about routing with
is very dangerous. Crashing an entire web server when an error occurs in a single request is quite serious. |
Literally the next sentence links you to the section of comparisons/differences, in which it says you cannot |
Closing this as a duplicate of #134, which came first. Either way, this is solved in the next |
The following web server :
exits completely when receiving any request.
This is a quite unexpected behavior that causes serious denial of service vulnerabilities for users of the framework.
The usual safer behavior adopted by other frameworks is to catch errors at the request level so that a single request cannot bring the entire web server down.
See for instance sveltejs/kit#1523
The text was updated successfully, but these errors were encountered: