fix: update getFilenameFromUrl to return errorCode and filename

Author: bjohansebas

src/index.js

@@ -279,7 +279,7 @@ function wdm(compiler, options = {}) {
 
   // API
   instance.getFilenameFromUrl = (url, extra) =>
-    getFilenameFromUrl(filledContext, url, extra);
+    getFilenameFromUrl(filledContext, url, extra)?.filename;
 
   instance.waitUntilValid = (callback = noop) => {
     ready(filledContext, callback);

src/middleware.js

@@ -498,22 +498,20 @@ function wrapper(context) {
      */
     async function processRequest() {
       // Pipe and SendFile
-      /** @type {import("./utils/getFilenameFromUrl").Extra} */
-      const extra = {};
-      const filename = getFilenameFromUrl(
+      const { filename, extra, errorCode } = getFilenameFromUrl(
         context,
         /** @type {string} */ (getRequestURL(req)),
-        extra,
+        {},
       );
 
-      if (extra.errorCode) {
-        if (extra.errorCode === 403) {
+      if (errorCode) {
+        if (errorCode === 403) {
           context.logger.error(`Malicious path "${filename}".`);
         }
 
         await sendError(
-          extra.errorCode === 400 ? "Bad Request" : "Forbidden",
-          extra.errorCode,
+          errorCode === 400 ? "Bad Request" : "Forbidden",
+          errorCode,
           {
             modifyResponseData: context.options.modifyResponseData,
           },

src/utils/getFilenameFromUrl.js

@@ -30,7 +30,6 @@ const UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
 /**
  * @typedef {object} Extra
  * @property {import("fs").Stats=} stats stats
- * @property {number=} errorCode error code
  * @property {boolean=} immutable true when immutable, otherwise false
  */
 
@@ -42,30 +41,31 @@ const UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
  * @returns {string}
  */
 
-// TODO refactor me in the next major release, this function should return `{ filename, stats, error }`
 // TODO fix redirect logic when `/` at the end, like https://github.com/pillarjs/send/blob/master/index.js#L586
 /**
  * @template {IncomingMessage} Request
  * @template {ServerResponse} Response
  * @param {import("../index.js").FilledContext<Request, Response>} context context
  * @param {string} url url
  * @param {Extra=} extra extra
- * @returns {string | undefined} filename
+ * @returns {{ filename?: string, extra: Extra, errorCode?: number }} filename
  */
 function getFilenameFromUrl(context, url, extra = {}) {
   const { options } = context;
   const paths = getPaths(context);
 
   /** @type {string | undefined} */
   let foundFilename;
+  /** @type {number | undefined} */
+  let errorCode;
   /** @type {import("node:url").Url} */
   let urlObject;
 
   try {
     // The `url` property of the `request` is contains only  `pathname`, `search` and `hash`
     urlObject = memoizedParse(url, false, true);
   } catch {
-    return;
+    return { errorCode, filename: foundFilename, extra };
   }
 
   for (const { publicPath, outputPath, assetsInfo } of paths) {
@@ -94,16 +94,16 @@ function getFilenameFromUrl(context, url, extra = {}) {
     ) {
       // Null byte(s)
       if (pathname.includes("\0")) {
-        extra.errorCode = 400;
+        errorCode = 400;
 
-        return;
+        return { errorCode, filename: foundFilename, extra };
       }
 
       // ".." is malicious
       if (UP_PATH_REGEXP.test(path.normalize(`./${pathname}`))) {
-        extra.errorCode = 403;
+        errorCode = 403;
 
-        return;
+        return { errorCode, filename: foundFilename, extra };
       }
 
       // Strip the `pathname` property from the `publicPath` option from the start of requested url
@@ -161,7 +161,7 @@ function getFilenameFromUrl(context, url, extra = {}) {
     }
   }
 
-  return foundFilename;
+  return { filename: foundFilename, extra, errorCode };
 }
 
 module.exports = getFilenameFromUrl;