fix: server crash by SyntaxError from express JSON parser

mariayord · mariayord · commit d6af0ccbb97f · 2025-10-16T14:57:00.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Sanitization of logged queries, when running in production, if literal values contain parentheses
 - Read GraphiQL HTML file only once on startup, and only if GraphiQL is enabled, to avoid unnecessary file system access
+- Server crash by SyntaxError from express JSON parser
 
 ### Removed
 
diff --git a/lib/logger.js b/lib/logger.js
@@ -8,9 +8,20 @@ const LOG = cds.log('graphql')
 const { parse, visit, Kind, print } = require('graphql')
 
 const _isEmptyObject = o => Object.keys(o).length === 0
+class InvalidJSON extends Error {}
+InvalidJSON.prototype.name = 'Invalid JSON body'
+InvalidJSON.prototype.status = 400
 
-router.use(express.json({ ...cds.env.server.body_parser })) //> required by logger below
-
+router.use(function jsonBodyParser(req, res, next) {
+  express.json({ ...cds.env.server.body_parser }) (req, res, function http_body_parser_next(err) {
+    if (err) {  // Need to wrap, as a rethrow would crash the server
+      let e = new InvalidJSON(err.message)
+      return next(e)
+    }
+    next()
+  })
+})
+      
 router.use(function queryLogger(req, _, next) {
   let query = req.body?.query || (req.query.query && decodeURIComponent(req.query.query))
   // Only log requests that contain a query
diff --git a/test/tests/http.test.js b/test/tests/http.test.js
@@ -0,0 +1,32 @@
+const cds = require('@sap/cds')
+const path = require('path')
+const util = require('util')
+const { axios } = cds
+    .test('serve', 'srv/empty-service.cds')
+    .in(path.join(__dirname, '../resources/empty-csn-definitions'))
+const _format = e => util.formatWithOptions({ colors: false, depth: null }, ...(Array.isArray(e) ? e : [e]))
+
+let _error = []    
+
+describe('GraphQL express json parser error scenario', () => {
+  beforeEach(() => {
+    console.warn = (...s) => _error.push(s) // eslint-disable-line no-console
+  })
+
+  afterEach(() => {
+    _error = []
+  })
+  test('should trigger InvalidJSON for malformed JSON', async () => {
+    try {
+     response = await axios.request({
+          method: 'POST',
+          url: `/graphql`,
+          data: '{ some_value'
+    })
+    } catch (err) {
+       expect(err.status).toBe(400)
+       expect(err.response.data.error.message).toBe(`Unexpected token '"', ""{ some_value"" is not valid JSON`)
+       expect(_format(_error[0])).toContain('InvalidJSON')
+    }
+  })
+})
