Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(fs-router) check for routes with / first, then without #2258

Merged
merged 8 commits into from
Mar 27, 2024
Merged

fix(fs-router) check for routes with / first, then without #2258

merged 8 commits into from
Mar 27, 2024

Conversation

cromoteca
Copy link
Contributor

@cromoteca cromoteca commented Mar 25, 2024
edited
Loading

When searching for the current view in Java, the trailing slash can cause misses.

This PR makes sure that both cases are handled, giving priority to the version with trailing slash, because that's what React Router does.

Fixes #2244

@codecov Codecov
Copy link

codecov bot commented Mar 25, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.77%. Comparing base (a4d3dfb) to head (230bdd0).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2258   +/-   ##
=======================================
  Coverage   93.77%   93.77%           
=======================================
  Files          65       65           
  Lines        1639     1639           
  Branches      368      368           
=======================================
  Hits         1537     1537           
  Misses         67       67           
  Partials       35       35
Flag Coverage Δ
unittests 93.77% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

knoobie
knoobie reviewed Mar 26, 2024
View reviewed changes
packages/java/endpoint/src/main/java/com/vaadin/hilla/route/ClientRouteRegistry.java
}
return null;
}).filter(Objects::nonNull).findFirst().orElse(null);
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just bypassing here: Did you consider security here? I remember some CVEs in the recent past which originated from security confusion based on trailing slash..

Additionally there is this recent Spring Framework Change to keep in mind: spring-projects/spring-framework#28552

Copy link
Contributor Author

@cromoteca cromoteca Mar 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code doesn't actually change which content is rendered. Its purpose is to try to give the same view permission response that you would get on the client where the navigation is handled by the React Routed.

By doing some manual testing, I've seen that when two routes are present which are only different on the trailing slash, React Router always renders the one with the slash (e.g. you cannot see /about if /about/ exists). But it is also forgiving: /about/ will show the view associated to /about if an exact match is not there.

We don't have this information here, since the new File Router only stores the path items (e.g. ["about"]). Also, the root path is stored as "", but it must match "/".

This PR modifies the code that tries to find the route that React Router would render given a path. In that sense, it should not open any additional security breach.

@cromoteca cromoteca requested a review from taefi March 26, 2024 16:12
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Mar 27, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@cromoteca cromoteca merged commit 74399f7 into main Mar 27, 2024
15 checks passed
@cromoteca cromoteca deleted the fix/2244/file-router-the-view-for-the-root-path-is-never-found-in-Java-view-registry branch March 27, 2024 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knoobie knoobie knoobie left review comments

@taefi taefi taefi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(file router) the view for the root path is never found in Java view registry
3 participants
@cromoteca @knoobie @taefi