io.js support for null byte path

[pierreinglebert]

The null byte path traversal is fixed for io.js in nodejs/node#517 and returns an ENOENT.
We have a different behavior between node and io here, maybe it should be homogenized by returning a 404 instead of 403.

[kanongil]

I am not sure about official iojs support yet, as hapi itself doesn't target it. I am however willing to accept a patch that simply reverts the response code to 404 to more closely align with iojs development.

[hueniverse]

Given the current state of io.js adoption, the official node distribution wins whenever there is conflict in implementation.

[pierreinglebert]

Sorry for not being clear enough.

The null byte path issue is not fixed in node.js so you fixed it in inert (https://github.com/hapijs/inert/blob/master/lib/file.js#L216) by returning a 403.
io.js fixed that issue (nodejs/node#517) by returning an ENOENT error leading to a 404 in inert.

So the implementation conflict is between inert and io.js not node.js.

The other part of this pr is for coverage failure because that fix is not being executed in io.js.

[kanongil]

@hueniverse Even without iojs I think that a 404 response is more appropriate than 403, which I initially implemented. The error should be a 404.

[pierreinglebert]

I created another PR for 404, i'll rebase this one after and then there will only be specific fixes for io.js tests to pass.

[hueniverse]

@kanongil I don't have an opinion on that part of the discussion.

[kanongil]

@hueniverse Is $lab:coverage:off$, etc an appropriate way to handle code coverage of platform specific workarounds? Or is there a better solution?

[hueniverse]

Not really. But I don't know what's the right approach here. The problem is that this turns off coverage for all cases, including the ones we need to make sure we test.

[kanongil]

Well that pretty much mirrors my concerns. We really need a decent mechanism to handle platform specific workarounds, be it 0.10 vs. 0.12 & io.js, or linux vs. windows.

[hueniverse]

Open an issue on lab to add conditional coverage exclusion support. Should not be too hard to add.

[kanongil]

Conditional coverage support would only enable a fix for the symptoms. Eg. a future node release could adopt the io.js fix, causing the coverage test to fail because only io.js is part of the condition.

I am inclined to think that @pierreinglebert's solution is the more appropriate approach. With the io.js patch, this can be seen as a defensive programming expression catching the error on "old" platforms. With multiple supported platforms, 100% branch coverage is somewhat of a pipe dream.

[hueniverse]

As long as node 0.10/12 is the official version supported, coverage must match that without any hacks. Once/if we switch to iojs, we can clean the code to remove any unused code.

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.