You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the snippet below, the basicAuth middleware will be applied to all routes beginning with /secure/.
var unless = require('express-unless');
...
app.use(basicAuth.unless({path: /^(?!\/secure\/).*/}));
However, Express uses case-insensitive routing by default. This means that if we use the above regex and have a route /secure/endpoint, we can bypass the basicAuth middleware by requesting the route /SECURE/endpoint.
The documentation for the path option should be updated to bring this to the developers attention. The developer should always use the case-insensitive 'i' flag when using a negative regular expression (i.e., {path: /^(?!/secure/).*/i} or set the Express case sensitive routing option to true.
An alternate solution is to update the default behavior of the express-unless path option to include the 'i' option by default when using regular expressions. This would make the default express-unless behavior align with the default Express routing behavior; however, this would be a breaking change.
The text was updated successfully, but these errors were encountered:
In the snippet below, the basicAuth middleware will be applied to all routes beginning with /secure/.
However, Express uses case-insensitive routing by default. This means that if we use the above regex and have a route /secure/endpoint, we can bypass the basicAuth middleware by requesting the route /SECURE/endpoint.
The documentation for the path option should be updated to bring this to the developers attention. The developer should always use the case-insensitive 'i' flag when using a negative regular expression (i.e., {path: /^(?!/secure/).*/i} or set the Express case sensitive routing option to true.
An alternate solution is to update the default behavior of the express-unless path option to include the 'i' option by default when using regular expressions. This would make the default express-unless behavior align with the default Express routing behavior; however, this would be a breaking change.
The text was updated successfully, but these errors were encountered: