fix(pipeline): reject invalid route paths from vendored JS files

Your Name · Your Name · commit 83af839cca8d · 2026-03-27T13:15:31.000-04:00
Vendored/minified JS files (tsc.js, typescript.js) inside non-JS repos
produce false positive routes when the Express route extractor matches
JS operators and keywords as route paths.

Add a validation filter that rejects:
- JS/TS operators: !, +, ++, -, --, :, ~
- JS/TS keywords: void, null, true, false, throw, this, typeof, etc.
- Single-character non-slash paths (*, ?, #)
- Paths with no alphanumeric or slash characters

Also trims leading/trailing whitespace before comparison to catch
'void ' and 'throw ' variants from minified source.

Tested: cube routes went from 42 (20 garbage) to 22 real routes.
diff --git a/src/pipeline/pass_httplinks.c b/src/pipeline/pass_httplinks.c
@@ -881,6 +881,64 @@ static int insert_route_nodes(cbm_pipeline_ctx_t *ctx, cbm_route_handler_t *rout
     for (int i = 0; i < route_count; i++) {
         cbm_route_handler_t *rh = &routes[i];
 
+        /* Reject obviously invalid route paths.
+         * Vendored/minified JS files (e.g. tsc.js, typescript.js) inside non-JS
+         * repos can produce false positives where JS operators/keywords get
+         * matched as route paths by the Express extractor. */
+        {
+            const char *p = rh->path;
+            /* Skip empty paths */
+            if (!p || !*p) continue;
+
+            /* Reject paths that are JS operators or keywords — not valid URL routes */
+            static const char *const invalid_paths[] = {
+                "!", "+", "++", "-", "--", ":", "~", "void", "null", "true",
+                "false", "throw", "this", "typeof", "delete", "new", "return",
+                "undefined", "NaN", "Infinity", "var", "let", "const",
+                "function", "class", "if", "else", "for", "while", "do",
+                "switch", "case", "break", "continue", "try", "catch",
+                "finally", "with", "in", "of", "yield", "await", "async",
+                "super", "import", "export", "default", "extends", "static",
+                "_this", "self", "__proto__", "arguments", "range",
+                NULL
+            };
+            bool rejected = false;
+            /* Work with a trimmed copy for comparison */
+            char trimmed[256];
+            /* Trim leading whitespace */
+            while (*p == ' ' || *p == '\t') p++;
+            strncpy(trimmed, p, sizeof(trimmed) - 1);
+            trimmed[sizeof(trimmed) - 1] = '\0';
+            /* Trim trailing whitespace */
+            size_t tlen = strlen(trimmed);
+            while (tlen > 0 && (trimmed[tlen - 1] == ' ' || trimmed[tlen - 1] == '\t' ||
+                                trimmed[tlen - 1] == '\n' || trimmed[tlen - 1] == '\r')) {
+                trimmed[--tlen] = '\0';
+            }
+            for (int k = 0; invalid_paths[k]; k++) {
+                if (strcmp(trimmed, invalid_paths[k]) == 0) {
+                    rejected = true;
+                    break;
+                }
+            }
+            if (rejected) continue;
+
+            /* Reject single-character non-slash paths (e.g. "*", "?", "#") */
+            if (p[0] && !p[1] && p[0] != '/') continue;
+
+            /* Reject paths that contain no alphanumeric or slash characters.
+             * Valid routes like "/api/v1" always have at least one alnum. */
+            bool has_alnum_or_slash = false;
+            for (const char *c = p; *c; c++) {
+                if ((*c >= 'a' && *c <= 'z') || (*c >= 'A' && *c <= 'Z') ||
+                    (*c >= '0' && *c <= '9') || *c == '/') {
+                    has_alnum_or_slash = true;
+                    break;
+                }
+            }
+            if (!has_alnum_or_slash) continue;
+        }
+
         /* Build Route QN and name */
         char normal_method[16];
         snprintf(normal_method, sizeof(normal_method), "%s", rh->method[0] ? rh->method : "ANY");
