-
-
Notifications
You must be signed in to change notification settings - Fork 16.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Express 5.0.0 Route with regex not working #5948
Comments
I have seen a similar issue with express 5.0 - which seems have root cause in path-to-regexp module: /some-repo/node_modules/path-to-regexp/dist/index.js:85 TypeError: Missing parameter name at 1: https://git.new/pathToRegexpError |
Is it realtes to https://blakeembrey.com/posts/2024-09-web-redos/ and GHSA-9wv6-86v2-598j? |
I agree - seems "weird".. |
We fully dropped support for regular expressions in strings for routes. You can check out the docs for So it would become this: app.get(['/discussion/:slug', '/page/:slug'], async (req, res) => {
throw {statusCode: 400, message: "harish"}
res.status(200).send("asfas")
}) |
@wesleytodd, sad to hear, we used regexp for data type routing. app.get('/product/:page([0-9]+)', async (req, res) => { |
We will be recommending folks use a more robust input validation approach for this. If you want, here is the open api library I maintain: https://github.com/wesleytodd/express-openapi/ The reason for this is mainly security around DOS protection. There is no way to support path segment regular expression matching while also avoiding major performance regressions. See more here: https://blakeembrey.com/posts/2024-09-web-redos/ This is a 100% big win for the ecosystem longer term, as regular expression route matching was one of the worst decisions from the early days which has stuck around. So while we understand the pain this change will cause, we stand by this decision as the right thing for the ecosystem and all express users (even if you need to change your approach to this sort of routing). |
@HarishGangula I do want to include as an aside here that Due to time constraints I haven't had the capacity to write a version that supports parsing of regex characters into something that can be guaranteed safe to avoid ReDoS, but that's not a forever situation. They've been reserved so it's possible to add it back again later. @ex1st Totally understand the concern, it's my biggest let down too. For now you'd have to include it in the method and call |
@blakeembrey This is one of the example but we have routes which uses regex like at end all routes i want keep '*' as route and send specific response instead of express default one. |
If you want to use a regex it’s fine to write a regex directly, it’s just not supported in the string. |
The migration guide explicitly mentions using regex as a string, but I take it that's not correct seeing as the example provided doesn't work ( https://expressjs.com/en/guide/migrating-5.html#path-syntax
|
#5948 (comment) |
Yes, that guide needs updating. Please submit a PR on https://github.com/expressjs/expressjs.com |
We have created simple express application with following code
It is throwing following error
We identified that path to regexp node module is broken which is causing this issue.
Node.js v20.10.0 used
The text was updated successfully, but these errors were encountered: