Impact
The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.
TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.
The code to reproduce it. The server side application:
import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'
const wait = async (ms: number) => {
return new Promise((resolve) => {
setTimeout(resolve, ms)
})
}
const app = new Hono({ router: new TrieRouter() })
app.use('*', async (c, next) => {
await wait(Math.random() * 200)
return next()
})
app.get('/modules/:id/versions/:version', async (c) => {
const id = c.req.param('id')
const version = c.req.param('version')
console.log('path', c.req.path)
console.log('version', version)
return c.json({
id,
version,
})
})
export default app
The client code which makes requests to the server application:
const examples = [
'http://localhost:8787/modules/first/versions/first',
'http://localhost:8787/modules/second/versions/second',
'http://localhost:8787/modules/third/versions/third',
]
const test = () => {
for (const example of examples) {
fetch(example)
.then((response) => response.json())
.then((data) => {
const splitted = example.split('/')
const expected = splitted[splitted.length - 1]
if (expected !== data.version) {
console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
}
})
}
}
test()
The results:
Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first
Patches
"v3.11.7" includes the change to fix this issue.
Workarounds
Don't use TrieRouter directly.
// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app = new Hono({ router: new TrieRouter() })
References
Router options on the Hono website: https://hono.dev/api/hono#router-option
Impact
The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.
TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.
The code to reproduce it. The server side application:
The client code which makes requests to the server application:
The results:
Patches
"v3.11.7" includes the change to fix this issue.
Workarounds
Don't use TrieRouter directly.
References
Router options on the Hono website: https://hono.dev/api/hono#router-option