bug: prevent pi-web malformed path from returning 500#83
Open
ALX99 wants to merge 2 commits into
Open
Conversation
5cf571d to
dd748db
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
pi-webdecodes the request pathname withdecodeURIComponent(url.pathname)before the static-file 4xx handling. A malformed percent-encoded path such as/%E0%A4%AthrowsURIError, escapeshandleHttp(), and is converted by the top-level HTTP wrapper into a 500 response.Severity and impact
This is a reliability/correctness bug in the local web server. A malformed client URL is a bad request, not an internal server failure. The impact is limited because
pi-webbinds only to loopback, but browser extensions, stale tabs, scripts, or local probes can trigger noisy false 500s and make logs/debugging misleading.Evidence
Relevant code:
pi-web/src/server.ts:handleHttp()constructsnew URL(...), then callsdecodeURIComponent(url.pathname)before path normalization and before returning normal 403/404 responses.decodeURIComponent("/%E0%A4%A")throwsURIError: URI malformed; thecreateServer()wrapper catches it and returnsInternal error: URI malformedwith status 500.pi-web/tests/server.test.ts:startServer: returns 400 for malformed percent-encoded pathssendsGET /%E0%A4%Aand asserts status 400/bodyBad Request.This is a real defect rather than a hypothetical edge case because malformed percent escapes are accepted at the HTTP request line level,
decodeURIComponentdeterministically throws for them, and the server currently maps that client input error to an internal-error response.Reproduce
Setup:
cd pi-web npm installTriggering request:
npm test -- tests/server.test.tsMinimal manual reproduction before the fix:
pi-webserver.GET /%E0%A4%A.Actual result before the fix:
Internal error: URI malformedExpected result:
Bad RequestRoot cause
Malformed request path decoding was treated the same as unexpected server failures.
decodeURIComponent()can throwURIErrorfor invalid percent-encoded UTF-8 sequences, buthandleHttp()did not catch that expected client-input error locally.Fix
Wrap only the pathname decode in a
try/catch. If the failure is aURIError, return HTTP 400Bad Request; otherwise rethrow so genuinely unexpected failures still surface through the existing 500 path.Validation
Commands run:
Regression test added:
pi-web/tests/server.test.ts—startServer: returns 400 for malformed percent-encoded pathsScope
Only malformed static URL path decoding is changed. No WebSocket behavior, static path traversal checks, MIME handling, CLI parsing, session/runtime behavior, or unrelated routing semantics were changed.