Crash on unusual / malformed path in normalizePath.js

[solymosi]

Given:

• the latest version (7.0.0) of express-prom-bundle
• includePath set to true in the options
• a request with the following path: //%5Cfoo.bar:[email protected]

Then:

• in normalizePath.js the call to url.parse(...).pathname returns null
• and depending on whether normalizePath is an array or not, the following code crashes either
  • in UrlValueParser:

    TypeError: Cannot read properties of null (reading 'split')
        at UrlValueParser.getPathChunks (/.../node_modules/url-value-parser/src/UrlValueParser.js:13:8)
    

  • or already in normalizePath.js:

    TypeError: Cannot read properties of null (reading 'replace')
        at module.exports [as normalizePath] (/.../node_modules/express-prom-bundle/src/normalizePath.js:23:19)
    

This makes it trivial to crash an Express instance that uses express-prom-bundle with includePath with a specifically crafted request.

Workaround for library users: set normalizePath to a custom function until this bug is fixed.

Easy fix: check if path is null before operating on it in normalizePath.js.

Proper fix: switch to the WHATWG URL API as url.parse has been deprecated for a while. This may be a breaking change in some edge cases. Or better yet, just use req.path which Express conveniently makes available.