Fix malformed UTF-8 sequences causing router crashes (#56562)

heiskr · web-flow · commit de4b5d61388e · 2025-07-11T16:28:07.000Z
diff --git a/src/shielding/middleware/handle-malformed-urls.ts b/src/shielding/middleware/handle-malformed-urls.ts
@@ -0,0 +1,31 @@
+import type { Response, NextFunction } from 'express'
+
+import { defaultCacheControl } from '@/frame/middleware/cache-control'
+import { ExtendedRequest } from '@/types'
+
+/**
+ * Middleware to handle malformed UTF-8 sequences in URLs that cause
+ * decodeURIComponent to fail. This prevents crashes from malicious
+ * requests containing invalid URL-encoded sequences like %FF.
+ */
+export default function handleMalformedUrls(
+  req: ExtendedRequest,
+  res: Response,
+  next: NextFunction,
+) {
+  // Check URL for malformed UTF-8 sequences
+  // Express/router doesn't catch these during initial parsing - they cause
+  // crashes later when decodeURIComponent is called at the router level
+  const url = req.originalUrl || req.url
+  try {
+    decodeURIComponent(url)
+  } catch {
+    // If any decoding fails, this is a malformed URL
+    defaultCacheControl(res)
+    res.setHeader('content-type', 'text/plain')
+    res.status(400).send('Bad Request: Malformed URL')
+    return
+  }
+
+  return next()
+}
diff --git a/src/shielding/middleware/index.ts b/src/shielding/middleware/index.ts
@@ -1,5 +1,6 @@
 import express from 'express'
 
+import handleMalformedUrls from './handle-malformed-urls'
 import handleInvalidQuerystrings from './handle-invalid-query-strings'
 import handleInvalidPaths from './handle-invalid-paths'
 import handleOldNextDataPaths from './handle-old-next-data-paths'
@@ -9,6 +10,7 @@ import handleInvalidHeaders from './handle-invalid-headers'
 
 const router = express.Router()
 
+router.use(handleMalformedUrls)
 router.use(handleInvalidQuerystrings)
 router.use(handleInvalidPaths)
 router.use(handleOldNextDataPaths)
diff --git a/src/shielding/tests/malformed-urls.ts b/src/shielding/tests/malformed-urls.ts
@@ -0,0 +1,72 @@
+import { describe, expect, test } from 'vitest'
+import { get } from '@/tests/helpers/e2etest'
+
+describe('malformed URLs', () => {
+  test('blocks URLs with %FF sequences', async () => {
+    const res = await get('/en/site-policy/other-site-policies/github-account-%FFqrlkuciqll-policy')
+
+    expect(res.statusCode).toBe(400)
+    expect(res.headers['content-type']).toMatch('text/plain')
+    expect(res.body).toBe('Bad Request: Malformed URL')
+  })
+
+  test('blocks URLs with %FE sequences', async () => {
+    const res = await get('/en/some-page-%FE-test')
+    expect(res.statusCode).toBe(400)
+    expect(res.headers['content-type']).toMatch('text/plain')
+    expect(res.body).toBe('Bad Request: Malformed URL')
+  })
+
+  test('blocks URLs with overlong encoding %C0%80', async () => {
+    const res = await get('/en/test-%C0%80-page')
+    expect(res.statusCode).toBe(400)
+    expect(res.headers['content-type']).toMatch('text/plain')
+    expect(res.body).toBe('Bad Request: Malformed URL')
+  })
+
+  test('blocks URLs with invalid UTF-8 continuation sequences', async () => {
+    const res = await get('/en/test-%80%80-page')
+    expect(res.statusCode).toBe(400)
+    expect(res.headers['content-type']).toMatch('text/plain')
+    expect(res.body).toBe('Bad Request: Malformed URL')
+  })
+
+  test('allows URLs with control characters (valid UTF-8)', async () => {
+    const res = await get('/en/test-%01-page')
+    expect(res.statusCode).toBe(404) // Should be 404 since page doesn't exist, not 400
+    // Control characters like %01 are valid UTF-8 and don't cause decoding errors
+  })
+
+  test('allows valid URLs with proper encoding', async () => {
+    const res = await get('/en/get-started')
+    expect(res.statusCode).not.toBe(400)
+    // Should not be blocked by malformed URL middleware
+  })
+
+  test('allows valid URLs with proper percent encoding', async () => {
+    const res = await get('/en/search?q=test%20query')
+    expect(res.statusCode).not.toBe(400)
+    // Should not be blocked by malformed URL middleware
+  })
+
+  test('blocks malformed query parameters', async () => {
+    // This is caught by checking originalUrl which contains the raw, unparsed URL
+    const res = await get('/en/search?q=test%FF')
+    expect(res.statusCode).toBe(400)
+    expect(res.headers['content-type']).toMatch('text/plain')
+    expect(res.body).toBe('Bad Request: Malformed URL')
+  })
+
+  test('properly caches malformed URL responses', async () => {
+    const res = await get('/en/malformed-%FF-url')
+    expect(res.statusCode).toBe(400)
+    expect(res.headers['cache-control']).toBeDefined()
+  })
+
+  test('handles multiple malformed sequences', async () => {
+    const res = await get('/en/test-%FF%FE%80-page')
+    expect(res.statusCode).toBe(400)
+    expect(res.headers['content-type']).toMatch('text/plain')
+    expect(res.body).toBe('Bad Request: Malformed URL')
+  })
+})
