Errors in route handlers are not caught

[lovasoa]

The following web server :

import polka from 'polka';

polka()
  .get('/*', () => { throw new Error("i am an error") })
  .listen(3000);

exits completely when receiving any request.

This is a quite unexpected behavior that causes serious denial of service vulnerabilities for users of the framework.
The usual safer behavior adopted by other frameworks is to catch errors at the request level so that a single request cannot bring the entire web server down.

See for instance sveltejs/kit#1523

[lukeed]

What version of Polka are you using?

[lukeed]

Closing as a duplicate of #12

This is already fixed in polka@next & I recommend you use that instead. There's a workaround here if you still want to use the 0.5.x release: #12 (comment)

[lovasoa]

I just tried polka@next. The issue seems to be solved for synchronous handlers, but not async ones

import polka from 'polka';

polka()
  .get('/*', async () => { throw new Error("i am an error") })
  .listen(3000);

still crashes the entire web server.

This is a serious security vulnerability. Would you consider fixing the issue fully and backporting it to previous versions ?

For instance, all sveltekit servers are currently vulnerable to remote denial of service because of this issue.

[lukeed]

Users not catching their own handler errors is not a security issue. That would mean all runtime errors in all of JS must be classified as security vulnerabilities.

I will investigate and fix it in next once I'm back at my desk. But no, it will not be backported.

Thanks for the issue and follow up.

[lukeed]

PS the workaround is still valid, just needs to be async

const old = app.handler;
app.handler = async function (req, res, info) {
	try {
		await old.apply(app, arguments);
	} catch (err) {
		console.log('> I caught error:', err);
		res.end('Oops~');
	}
}

[lovasoa]

Users not catching their own handler errors is not a security issue. That would mean all runtime errors in all of JS must be classified as security vulnerabilities.

I understand what you mean, and you may indeed want to consider that the vulnerability is in the user's code if they do not wrap every single handler in a try...catch, but then you would need to make that very explicit in the documentation, and update the usage examples.

This is not the standard security approach taken by other frameworks, and in this case, starting the documentation about routing with

If you're coming from Express, there's nothing new here!

is very dangerous.

Crashing an entire web server when an error occurs in a single request is quite serious.

[lukeed]

If you're coming from Express, there's nothing new here!

Literally the next sentence links you to the section of comparisons/differences, in which it says you cannot throw from within handlers.

[lukeed]

Closing this as a duplicate of #134, which came first. Either way, this is solved in the next @next release.