measure invalid paths handled (github#26734)

peterbe · web-flow · commit 3b1b69002b93 · 2022-04-06T16:47:47.000Z
diff --git a/middleware/handle-invalid-paths.js b/middleware/handle-invalid-paths.js
@@ -1,8 +1,12 @@
 import patterns from '../lib/patterns.js'
+import statsd from '../lib/statsd.js'
+
+const STATSD_KEY = 'middleware.handle_invalid_paths'
 
 export default function handleInvalidPaths(req, res, next) {
   // prevent open redirect vulnerability
   if (req.path.match(patterns.multipleSlashes)) {
+    statsd.increment(STATSD_KEY, 1, ['check:multiple-slashes'])
     return next(404)
   }
 
@@ -14,7 +18,7 @@ export default function handleInvalidPaths(req, res, next) {
     if (process.env.NODE_ENV !== 'test') {
       console.error('unable to decode path', req.path, err)
     }
-
+    statsd.increment(STATSD_KEY, 1, ['check:decodeURIComponent'])
     return res.sendStatus(400)
   }
 
@@ -35,21 +39,25 @@ export default function handleInvalidPaths(req, res, next) {
       console.error('unable to normalize path', req.path, err)
     }
 
+    statsd.increment(STATSD_KEY, 1, ['check:ERR_INVALID_URL'])
     return res.sendStatus(400)
   }
 
   // Prevent some script tag injection attacks
   if (req.path.match(/<script/i)) {
+    statsd.increment(STATSD_KEY, 1, ['check:script-tag-injection'])
     return res.sendStatus(400)
   }
 
   // Prevent some injection attacks targeting Fastly
   if (req.path.match(/<esi:include/i)) {
+    statsd.increment(STATSD_KEY, 1, ['check:esi-injection-attack'])
     return res.sendStatus(400)
   }
 
   // Prevent various malicious injection attacks targeting Next.js
   if (req.path.match(/^\/_next[^/]/) || req.path === '/_next/data' || req.path === '/_next/data/') {
+    statsd.increment(STATSD_KEY, 1, ['check:nextjs-injection-attack'])
     return next(404)
   }
 

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,12 @@`
`1`	`1`	`import patterns from '../lib/patterns.js'`
	`2`	`+import statsd from '../lib/statsd.js'`
	`3`	`+`
	`4`	`+const STATSD_KEY = 'middleware.handle_invalid_paths'`
`2`	`5`
`3`	`6`	`export default function handleInvalidPaths(req, res, next) {`
`4`	`7`	`// prevent open redirect vulnerability`
`5`	`8`	`if (req.path.match(patterns.multipleSlashes)) {`
	`9`	`+ statsd.increment(STATSD_KEY, 1, ['check:multiple-slashes'])`
`6`	`10`	`return next(404)`
`7`	`11`	`}`
`8`	`12`
`@@ -14,7 +18,7 @@ export default function handleInvalidPaths(req, res, next) {`
`14`	`18`	`if (process.env.NODE_ENV !== 'test') {`
`15`	`19`	`console.error('unable to decode path', req.path, err)`
`16`	`20`	`}`
`17`		`-`
	`21`	`+ statsd.increment(STATSD_KEY, 1, ['check:decodeURIComponent'])`
`18`	`22`	`return res.sendStatus(400)`
`19`	`23`	`}`
`20`	`24`
`@@ -35,21 +39,25 @@ export default function handleInvalidPaths(req, res, next) {`
`35`	`39`	`console.error('unable to normalize path', req.path, err)`
`36`	`40`	`}`
`37`	`41`
	`42`	`+ statsd.increment(STATSD_KEY, 1, ['check:ERR_INVALID_URL'])`
`38`	`43`	`return res.sendStatus(400)`
`39`	`44`	`}`
`40`	`45`
`41`	`46`	`// Prevent some script tag injection attacks`
`42`	`47`	`if (req.path.match(/<script/i)) {`
	`48`	`+ statsd.increment(STATSD_KEY, 1, ['check:script-tag-injection'])`
`43`	`49`	`return res.sendStatus(400)`
`44`	`50`	`}`
`45`	`51`
`46`	`52`	`// Prevent some injection attacks targeting Fastly`
`47`	`53`	`if (req.path.match(/<esi:include/i)) {`
	`54`	`+ statsd.increment(STATSD_KEY, 1, ['check:esi-injection-attack'])`
`48`	`55`	`return res.sendStatus(400)`
`49`	`56`	`}`
`50`	`57`
`51`	`58`	`// Prevent various malicious injection attacks targeting Next.js`
`52`	`59`	`if (req.path.match(/^\/_next[^/]/) \|\| req.path === '/_next/data' \|\| req.path === '/_next/data/') {`
	`60`	`+ statsd.increment(STATSD_KEY, 1, ['check:nextjs-injection-attack'])`
`53`	`61`	`return next(404)`
`54`	`62`	`}`
`55`	`63`