starred/vinext
1
0
Fork 0
mirror of https://github.com/cloudflare/vinext.git synced 2026-05-09 08:25:34 +02:00
Code Issues 101 Projects Packages Wiki Activity

[PR #107] [MERGED] fix: handle malformed percent-encoded URLs gracefully #316

New issue
Closed
opened 2026-05-06 12:39:09 +02:00 by BreizhHardware · 0 comments
BreizhHardware commented 2026-05-06 12:39:09 +02:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/107
Author: @threepointone
Created: 2/26/2026
Status: Merged
Merged: 2/26/2026
Merged by: @threepointone

Base: mainHead: fix/malformed-percent-encoding-dos

📝 Commits (1)

  • c02ae12 fix: handle malformed percent-encoded URLs gracefully

📊 Changes

8 files changed (+159 additions, -8 deletions)

View changed files

📝 packages/vinext/src/index.ts (+15 -3)
📝 packages/vinext/src/server/app-dev-server.ts (+5 -1)
📝 packages/vinext/src/server/app-router-entry.ts (+7 -1)
📝 packages/vinext/src/server/middleware.ts (+8 -1)
📝 packages/vinext/src/server/prod-server.ts (+18 -2)
📝 tests/app-router.test.ts (+47 -0)
📝 tests/features.test.ts (+45 -0)
📝 tests/pages-router.test.ts (+14 -0)

📄 Description

Problem

decodeURIComponent() on attacker-controlled request paths throws URIError: URI malformed for invalid percent sequences (e.g. /%E0%A4%A). When this happens outside a try/catch in a request handler, the uncaught exception terminates the Node process — a single malformed request causes full service outage.

Fix

Wrap all decodeURIComponent calls on user-controlled input in try/catch across every server entry point. On decode failure, return 400 Bad Request and continue serving.

Files changed

File Fix
prod-server.ts App Router + Pages Router request handlers
app-router-entry.ts Cloudflare Worker entry
app-dev-server.ts Generated RSC entry handler
index.ts Dev server connect middleware, generated middleware runner, NEXT_LOCALE cookie parser
middleware.ts Pages Router dev middleware runner

Tests

11 regression tests added across three test files:

  • app-router.test.ts — App Router prod server + dev server (5 tests)
  • pages-router.test.ts — Pages Router prod server (2 tests)
  • features.test.ts — Pages Router dev server (4 tests)

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/107 **Author:** [@threepointone](https://github.com/threepointone) **Created:** 2/26/2026 **Status:** ✅ Merged **Merged:** 2/26/2026 **Merged by:** [@threepointone](https://github.com/threepointone) **Base:** `main` ← **Head:** `fix/malformed-percent-encoding-dos` --- ### 📝 Commits (1) - [`c02ae12`](https://github.com/cloudflare/vinext/commit/c02ae1272950c1b88eca17b1600dfef627629b29) fix: handle malformed percent-encoded URLs gracefully ### 📊 Changes **8 files changed** (+159 additions, -8 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/index.ts` (+15 -3) 📝 `packages/vinext/src/server/app-dev-server.ts` (+5 -1) 📝 `packages/vinext/src/server/app-router-entry.ts` (+7 -1) 📝 `packages/vinext/src/server/middleware.ts` (+8 -1) 📝 `packages/vinext/src/server/prod-server.ts` (+18 -2) 📝 `tests/app-router.test.ts` (+47 -0) 📝 `tests/features.test.ts` (+45 -0) 📝 `tests/pages-router.test.ts` (+14 -0) </details> ### 📄 Description ## Problem `decodeURIComponent()` on attacker-controlled request paths throws `URIError: URI malformed` for invalid percent sequences (e.g. `/%E0%A4%A`). When this happens outside a try/catch in a request handler, the uncaught exception terminates the Node process — a single malformed request causes full service outage. ## Fix Wrap all `decodeURIComponent` calls on user-controlled input in try/catch across every server entry point. On decode failure, return **400 Bad Request** and continue serving. ### Files changed | File | Fix | |------|-----| | `prod-server.ts` | App Router + Pages Router request handlers | | `app-router-entry.ts` | Cloudflare Worker entry | | `app-dev-server.ts` | Generated RSC entry handler | | `index.ts` | Dev server connect middleware, generated middleware runner, NEXT_LOCALE cookie parser | | `middleware.ts` | Pages Router dev middleware runner | ### Tests 11 regression tests added across three test files: - `app-router.test.ts` — App Router prod server + dev server (5 tests) - `pages-router.test.ts` — Pages Router prod server (2 tests) - `features.test.ts` — Pages Router dev server (4 tests) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
BreizhHardware 2026-05-06 12:39:09 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
alt/prerender-rsc-sidechannel
codex/pages-router-suite-main
claude/dev-socket-emit-patch
james/wip-agent-test
codex/fix-wrangler-suspense-streaming
hrushikesh/add-semgrep-oss-workflow
fix/preload-link-header-uses-served-url
fix/isr-always-mark-dynamic-with-searchparams
fix/strip-set-cookie-from-app-route-isr-cache-clean
fix/app-pages-fallback-sees-middleware-overrides-v2
opencode/misty-river
opencode/calm-meadow
codex/pages-router-cjs-node-modules
codex/refresh-ai-docs-vp-vite8
fix/suspense-flash-navigation-639
fix/issue-589
fix/route-handler-dynamic-detection-v3
fix/route-handler-dynamic-detection-v2
fix/route-handler-dynamic-detection
opencode/quiet-nebula
fix/include-query-in-route-handler-isr-key
fix/block-dangerous-uri-schemes
fix/use-post-middleware-context-for-headers
opencode/playful-mountain
opencode/quiet-sailor
feat/payload-cms-fixture
feat/static-prerender-build
opencode/cosmic-knight
fix/isr-stream-tee-no-double-render
codex/wrangler-auth-ux
docs/update-contributing
improve/vitest-workspace-split
feat/auto-pr-review
docs/skills-field-learnings
feat/nuqs-e2e-clean
feat/next-font-implementation
fix/rsc-navigation-credentials
chonky-list
fix/cli-version
ci/commit-version-bump
ci/publish-chat-notification
opencode/mighty-mountain
fix/rsc-optimizedeps-react-server
v0.0.49
v0.0.48
v0.0.47
v0.0.46
v0.0.45
v0.0.44
v0.0.43
v0.0.42
v0.0.41
v0.0.40
v0.0.39
v0.0.38
v0.0.37
v0.0.36
v0.0.35
v0.0.34
v0.0.33
v0.0.32
v0.0.31
v0.0.30
v0.0.29
v0.0.28
v0.0.27
v0.0.26
v0.0.25
v0.0.24
v0.0.23
v0.0.22
v0.0.21
v0.0.20
v0.0.19
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
Labels
Clear labels   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
nextjs-tracking

   
nextjs-tracking

   
pull-request
Mirrored from GitHub Pull Request

No labels
enhancement
enhancement
good first issue
help wanted
nextjs-tracking
nextjs-tracking
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vinext#316
No description provided.