Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Errors in route handlers are not caught
See original GitHub issueThe following web server :
import polka from 'polka';
polka()
.get('/*', () => { throw new Error("i am an error") })
.listen(3000);
exits completely when receiving any request.
This is a quite unexpected behavior that causes serious denial of service vulnerabilities for users of the framework. The usual safer behavior adopted by other frameworks is to catch errors at the request level so that a single request cannot bring the entire web server down.
See for instance https://github.com/sveltejs/kit/issues/1523
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (6 by maintainers)
Top Results From Across the Web
Error handling - Express.js
Error Handling refers to how Express catches and processes errors that occur both synchronously and asynchronously. Express comes with a default error handler...
Read more >A Guide to Error Handling in Express.js | Scout APM Blog
Basic Quick Tutorial: Setting up Error Handling in Express.js · Step 1: Create and Setup Project · Step 2: Setup the Server ·...
Read more >Error Handling in Express - Reflectoring
The simplest way of handling errors in Express applications is by putting the error handling logic in the individual route handler functions. We ......
Read more >Why is my error handler in ExpressJS not working?
You must catch errors that occur in asynchronous code invoked by route handlers or middleware and pass them to Express for processing.
Read more >Error handling in Node.js with Express - DEV Community
Error handler is a special middleware in Node.js which takes 4 parameters. Regular route middleware takes 3 parameters: req, res and next. Error...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I understand what you mean, and you may indeed want to consider that the vulnerability is in the user’s code if they do not wrap every single handler in a try…catch, but then you would need to make that very explicit in the documentation, and update the usage examples.
This is not the standard security approach taken by other frameworks, and in this case, starting the documentation about routing with
is very dangerous.
Crashing an entire web server when an error occurs in a single request is quite serious.
Closing as a duplicate of #12
This is already fixed in
polka@next& I recommend you use that instead. There’s a workaround here if you still want to use the0.5.xrelease: https://github.com/lukeed/polka/issues/12#issuecomment-486089751