fix(server,contract): harden getRouter against primitive traversal

jameskranz · claude · jameskranz · commit 92b7eabb8388 · 2026-04-08T09:45:13.000-07:00
- Add typeof guard to getRouter and getContractRouter, mirroring the
  pattern used by enhance/minify/populate/unlazy in this PR. Without
  it, traversal walks character indices ('v'[0] === 'v') and returns
  garbage instead of undefined.
- Replace inferred-union test bindings with precise type casts so
  property assertions are statically checked instead of any-cast.
- Add primitive-traversal coverage for getRouter / getContractRouter.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/contract/src/router-utils.test.ts b/packages/contract/src/router-utils.test.ts
@@ -1,3 +1,4 @@
+import type { AnyContractProcedure } from './procedure'
 import { inputSchema, outputSchema, ping, pong, router } from '../tests/shared'
 import { oc } from './builder'
 import { isContractProcedure } from './procedure'
@@ -97,7 +98,13 @@ describe('contract modules that export primitives alongside procedures', () => {
     const options = { errorMap: {}, prefix: '/api', tags: ['api'] } as const
 
     it('enhances procedures and passes through primitive exports', () => {
-      const enhanced = enhanceContractRouter(moduleWithPrimitives, options)
+      const enhanced = enhanceContractRouter(moduleWithPrimitives, options) as {
+        getUser: AnyContractProcedure
+        listUsers: AnyContractProcedure
+        API_VERSION: string
+        MAX_PAGE_SIZE: number
+        ENABLE_CACHE: boolean
+      }
       expect(isContractProcedure(enhanced.getUser)).toBe(true)
       expect(isContractProcedure(enhanced.listUsers)).toBe(true)
       expect(enhanced.API_VERSION).toBe('v2')
@@ -137,7 +144,13 @@ describe('contract modules that export primitives alongside procedures', () => {
         MAX_PAGE_SIZE: 100,
         ENABLE_CACHE: true,
       } as any
-      const populated = populateContractRouterPaths(moduleForPaths)
+      const populated = populateContractRouterPaths(moduleForPaths) as {
+        getUser: AnyContractProcedure
+        listUsers: AnyContractProcedure
+        API_VERSION: string
+        MAX_PAGE_SIZE: number
+        ENABLE_CACHE: boolean
+      }
       expect(isContractProcedure(populated.getUser)).toBe(true)
       expect(populated.getUser['~orpc'].route.path).toBe('/getUser')
       expect(isContractProcedure(populated.listUsers)).toBe(true)
@@ -151,6 +164,22 @@ describe('contract modules that export primitives alongside procedures', () => {
       expect(() => populateContractRouterPaths(moduleWithFlag)).not.toThrow()
     })
   })
+
+  describe('getContractRouter', () => {
+    it('returns undefined when path traverses past a primitive export', () => {
+      expect(getContractRouter(moduleWithPrimitives, ['API_VERSION', 'length'])).toBeUndefined()
+      expect(getContractRouter(moduleWithPrimitives, ['MAX_PAGE_SIZE', 'toFixed'])).toBeUndefined()
+      expect(getContractRouter(moduleWithPrimitives, ['ENABLE_CACHE', 'valueOf'])).toBeUndefined()
+    })
+
+    it('returns undefined for single-character string exports instead of indexed characters', () => {
+      // Without the typeof guard, getContractRouter(['v', '0']) returns 'v'
+      // because 'v'[0] === 'v', walking character indices instead of bailing out.
+      const moduleWithFlag = { getUser: ping, v: 'v' } as any
+      expect(getContractRouter(moduleWithFlag, ['v', '0'])).toBeUndefined()
+      expect(getContractRouter(moduleWithFlag, ['v', '0', '0', '0'])).toBeUndefined()
+    })
+  })
 })
 
 it('populateContractRouterPaths', () => {
diff --git a/packages/contract/src/router-utils.ts b/packages/contract/src/router-utils.ts
@@ -22,6 +22,10 @@ export function getContractRouter(router: AnyContractRouter, path: readonly stri
       return undefined
     }
 
+    if (typeof current !== 'object') {
+      return undefined
+    }
+
     current = current[segment]
   }
 
diff --git a/packages/server/src/router-utils.test.ts b/packages/server/src/router-utils.test.ts
@@ -1,3 +1,4 @@
+import type { AnyProcedure } from './procedure'
 import { enhanceRoute } from '@orpc/contract'
 import { contract, ping, pingMiddleware, pong, router } from '../tests/shared'
 import { getLazyMeta, isLazy, unlazy } from './lazy'
@@ -250,7 +251,13 @@ describe('router modules that export primitives alongside procedures', () => {
 
   describe('enhanceRouter', () => {
     it('enhances procedures and passes through primitive exports', () => {
-      const enhanced = enhanceRouter(moduleWithPrimitives, defaultOptions)
+      const enhanced = enhanceRouter(moduleWithPrimitives, defaultOptions) as {
+        getUser: AnyProcedure
+        listUsers: AnyProcedure
+        API_VERSION: string
+        MAX_PAGE_SIZE: number
+        ENABLE_CACHE: boolean
+      }
       expect(enhanced.getUser['~orpc']).toBeDefined()
       expect(enhanced.listUsers['~orpc']).toBeDefined()
       expect(enhanced.API_VERSION).toBe('v2')
@@ -266,6 +273,22 @@ describe('router modules that export primitives alongside procedures', () => {
     })
   })
 
+  describe('getRouter', () => {
+    it('returns undefined when path traverses past a primitive export', () => {
+      expect(getRouter(moduleWithPrimitives, ['API_VERSION', 'length'])).toBeUndefined()
+      expect(getRouter(moduleWithPrimitives, ['MAX_PAGE_SIZE', 'toFixed'])).toBeUndefined()
+      expect(getRouter(moduleWithPrimitives, ['ENABLE_CACHE', 'valueOf'])).toBeUndefined()
+    })
+
+    it('returns undefined for single-character string exports instead of indexed characters', () => {
+      // Without the typeof guard, getRouter(['v', '0']) returns 'v' because
+      // 'v'[0] === 'v', walking character indices instead of bailing out.
+      const moduleWithFlag = { getUser: pong, v: 'v' } as any
+      expect(getRouter(moduleWithFlag, ['v', '0'])).toBeUndefined()
+      expect(getRouter(moduleWithFlag, ['v', '0', '0', '0'])).toBeUndefined()
+    })
+  })
+
   describe('traverseContractProcedures', () => {
     it('traverses procedures and skips primitive exports', () => {
       // null/undefined are excluded here because getHiddenRouterContract
diff --git a/packages/server/src/router-utils.ts b/packages/server/src/router-utils.ts
@@ -27,6 +27,10 @@ export function getRouter<T extends Lazyable<AnyRouter | undefined>>(
       return undefined as any
     }
 
+    if (typeof current !== 'object') {
+      return undefined as any
+    }
+
     if (!isLazy(current)) {
       current = current[segment]
 

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,10 @@ export function getContractRouter(router: AnyContractRouter, path: readonly stri`
`22`	`22`	`return undefined`
`23`	`23`	`}`
`24`	`24`
	`25`	`+ if (typeof current !== 'object') {`
	`26`	`+ return undefined`
	`27`	`+ }`
	`28`	`+`
`25`	`29`	`current = current[segment]`
`26`	`30`	`}`
`27`	`31`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,10 @@ export function getRouter<T extends Lazyable<AnyRouter \| undefined>>(`
`27`	`27`	`return undefined as any`
`28`	`28`	`}`
`29`	`29`
	`30`	`+ if (typeof current !== 'object') {`
	`31`	`+ return undefined as any`
	`32`	`+ }`
	`33`	`+`
`30`	`34`	`if (!isLazy(current)) {`
`31`	`35`	`current = current[segment]`
`32`	`36`