fix: return 404 with invalid URL ✌️ (#7902)

gioboa · web-flow · commit 1f50628e6aa0 · 2025-09-03T17:43:19.000+02:00
* docs: return 404 with new URL exception 🤙

* docs: return 404 with invalid URL ✌️

* docs: return 404 with invalid URL ✌️

* fix: fix up typo

* fix: fix up typo

* fix: fix up error response

* chore: add changeset
diff --git a/.changeset/petite-flies-pay.md b/.changeset/petite-flies-pay.md
@@ -0,0 +1,5 @@
+---
+'@builder.io/qwik-city': patch
+---
+
+FIX: return 404 with invalid URL.
diff --git a/packages/qwik-city/src/middleware/request-handler/user-response.ts b/packages/qwik-city/src/middleware/request-handler/user-response.ts
@@ -72,6 +72,18 @@ async function runNext(
   rebuildRouteInfo: RebuildRouteInfoInternal,
   resolve: (value: any) => void
 ) {
+  try {
+    const isValidURL = (url: URL) => new URL(url.pathname + url.search, url);
+    isValidURL(requestEv.originalUrl);
+  } catch {
+    const status = 404;
+    const message = 'Resource Not Found';
+    requestEv.status(status);
+    const html = getErrorHtml(status, message);
+    requestEv.html(status, html);
+    return new ServerError(status, message);
+  }
+
   let rewriteAttempt = 1;
 
   async function _runNext() {
diff --git a/packages/qwik/src/optimizer/src/plugins/image-size-server.ts b/packages/qwik/src/optimizer/src/plugins/image-size-server.ts
@@ -115,7 +115,14 @@ export const getImageSizeServer = (
       const fs: typeof import('fs') = await sys.dynamicImport('node:fs');
       const path: typeof import('path') = await sys.dynamicImport('node:path');
 
-      const url = new URL(req.url!, 'http://localhost:3000/');
+      let url;
+      try {
+        url = new URL(req.url!, 'http://localhost:3000/');
+      } catch {
+        res.statusCode = 404;
+        res.end();
+        return;
+      }
       if (req.method === 'GET' && url.pathname === '/__image_info') {
         const imageURL = url.searchParams.get('url');
         res.setHeader('content-type', 'application/json');
diff --git a/starters/dev-server.ts b/starters/dev-server.ts
@@ -60,7 +60,13 @@ Error.stackTraceLimit = 1000;
 const cache = new Map<string, Promise<QwikManifest>>();
 async function handleApp(req: Request, res: Response, next: NextFunction) {
   try {
-    const url = new URL(req.url, address);
+    let url;
+    try {
+      url = new URL(req.url, address);
+    } catch {
+      res.status(404).send();
+      return;
+    }
     if (existsSync(url.pathname)) {
       const relPath = relative(startersAppsDir, url.pathname);
       if (!relPath.startsWith(".")) {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@builder.io/qwik-city': patch
 +---
++
 +FIX: return 404 with invalid URL.