Misuse of mount results in infinite loop when calling unregistered method

[carmo-evan]

When misusing Mount like so:

func main() {
	r := chi.NewRouter()
	mux := r.Group(func(r chi.Router) {
		r.Use(middleware.Logger)
		r.Group(func(r chi.Router) {
			r.Get("/products", printPath)
		})
		r.Mount("/", r)
	})
	if err := http.ListenAndServe(":3004", mux); err != nil {
		log.Fatal(err)
	}
}

func printPath(w http.ResponseWriter, r *http.Request) {
	log.Println(r.URL.Path)
}

Calling unregistered methods on the /products path (POST /products, PUT /products, etc) results in Chi entering an infinite loop. This could be used maliciously by an attacker. The expectation is that either this should still work as intended, or an error should be thrown.

[j1cs]

this happens to me too. there's any advice to avoid this?

[VojtechVitek]

remove r.Mount("/", r) - it's mounting the very same router on top of itself, thus entering the infinite loop

[VojtechVitek]

technically, we could check for pointer equality in the Mount() method and panic()

thoughts?

[pkieltyka]

I don’t think we should do anything.. you can write an infinite loop in Go easily too

[j1cs]

I added a prefix like /v1and the loop stopped.