Unintentionally Bypassing Middleware with Case-Sensitive Negative RegexΒ #16
Description
In the snippet below, the basicAuth middleware will be applied to all routes beginning with /secure/.
var unless = require('express-unless');
...
app.use(basicAuth.unless({path: /^(?!\/secure\/).*/}));
However, Express uses case-insensitive routing by default. This means that if we use the above regex and have a route /secure/endpoint, we can bypass the basicAuth middleware by requesting the route /SECURE/endpoint.
The documentation for the path option should be updated to bring this to the developers attention. The developer should always use the case-insensitive 'i' flag when using a negative regular expression (i.e., {path: /^(?!/secure/).*/i} or set the Express case sensitive routing option to true.
An alternate solution is to update the default behavior of the express-unless path option to include the 'i' option by default when using regular expressions. This would make the default express-unless behavior align with the default Express routing behavior; however, this would be a breaking change.