Unknown routes with empty _data= leads to a error server instead 404

[raulfdm]

What version of Remix are you using?

1.13.0

Are all your remix dependencies & dev-dependencies using the same version?

• Yes

Steps to Reproduce

1. Access https://stackblitz.com/edit/remix-run-remix-9jjrvj?file=app/routes/index.tsx
2. Wait everything to be installed and the app up and running;
3. Once the app is ready, click on the item 2. It would be catch by CaughtBoundary root;
4. click to go back to home and click on the item 3

Expected Behavior

I'd expect that Remix won't throw a server error like this. Instead, somehow it should hit the CatchBoundary.

Actual Behavior

It throws the follow error:

{"message":"No route matches URL \"/asdasdasd\"","stack":"Error: No route matches URL \"/asdasdasd\"\n    at getInternalRouterError (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/@remix-run+router@1.3.2/node_modules/@remix-run/router/router.ts:3507:5)\n    at Object.queryRoute (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/@remix-run+router@1.3.2/node_modules/@remix-run/router/router.ts:2436:13)\n    at handleDataRequestRR (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/@remix-run+server-runtime@1.13.0/node_modules/@remix-run/server-runtime/dist/server.js:81:40)\n    at requestHandler (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/@remix-run+server-runtime@1.13.0/node_modules/@remix-run/server-runtime/dist/server.js:55:24)\n    at eval (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/@remix-run+express@1.13.0_express@4.18.2/node_modules/@remix-run/express/dist/server.js:39:28)\n    at eval (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/@remix-run+serve@1.13.0/node_modules/@remix-run/serve/dist/index.js:47:7)\n    at Layer.handle [as handle_request] (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/express@4.18.2/node_modules/express/lib/router/layer.js:95:5)\n    at next (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/express@4.18.2/node_modules/express/lib/router/route.js:144:13)\n    at next (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/express@4.18.2/node_modules/express/lib/router/route.js:140:7)\n    at next (/home/projects/remix-run-remix-9jjrvj/node_modules/.pnpm/express@4.18.2/node_modules/express/lib/router/route.js:140:7)"}

[raulfdm]

Just to point out, this was raised by the Security team of my company as a possible vulnerability. Phrasing them:

Basically it’s just an information disclosure vulnerability by the framework. On the early stages of an attack, a hacker will look for information that can help understand the target. If they can find the version number, then they can narrow the search for exploits, know what weaknesses might be there and even get a better picture of the overall security (e.g. if the version is very old, they’ll probably have old versions in the other services)

Also, I’m focusing on the version because that’s what the error trace shows, but it could get worse if the code changes and eventually shows more than that. Many services might even advertise the version in banners or with an API call, but showing showing it in an error seems like something they’ll want to fix

So, ideally, this kind of error would never throw/show to the client but proper handled by the root CatchBoundary (at least)

[machour]

For what it's worth, a possible mitigation in user land would be to define a catch-all (splat route):

app/routes/$.tsx

export async function loader() {
  return null;
}

export default function NotFound() {
  return <div>This page doesn't exist</div>;
}

[raulfdm]

thanks @machour. It seems like a valid workaround.

But to implement that I'll need to restructure my app. I had the decision to, in the root.tsx, wrap my <Outlet /> with an Component that renders a sidebar.

There, I have some routes mapped that it should render that side bar, but if I define a splat route like this, I lost the ability to hide it when it's 404. I'll try to come up with a better layout at least to solve this problem til someone from Remix Team give a heads up about this problem.

[brophdawg11]

It sounds like the real issue here was the exposing of the stack trace, which was a bug and fixed in 1.15.0 via #5541. those traces should have only ever come back in dev mode. On latest Remix you'll just get:

> curl http://localhost:3000/ascascasc?_data
{"message":"Unexpected Server Error"}

As for whether this should render a CatchBoundary, I don't think we want to do that since appropriate _data calls made by Remix are expected to return JSON and we need JSON so we can hand it off the the boundary.

It's only inappropriate _data calls such as this manual one which would most likely be made manually by a bad actor, and I don't think it matters what is shown in that use case, so long as we're not leaking stack traces.