Validate req.url in renderer (#46923)

It's possible that the request is missing or having an invalid URL, and got passed to the renderer. Fixes NEXT-139.
vercel · Mar 8, 2023 · b3220fe · b3220fe
1 parent 02eb34d
commit b3220fe
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/packages/next/src/server/app-render.tsx b/packages/next/src/server/app-render.tsx
@@ -740,6 +740,18 @@ async function renderToString(element: React.ReactElement) {
   })
 }
 
+function validateURL(url: string | undefined): string {
+  if (!url) {
+    throw new Error('Invalid request URL')
+  }
+  try {
+    new URL(url, 'http://n')
+    return url
+  } catch {
+    throw new Error('Invalid request URL')
+  }
+}
+
 export async function renderToHTMLOrFlight(
   req: IncomingMessage,
   res: ServerResponse,
@@ -1750,8 +1762,7 @@ export async function renderToHTMLOrFlight(
       Uint8Array
     > = new TransformStream()
 
-    // TODO-APP: validate req.url as it gets passed to render.
-    const initialCanonicalUrl = req.url!
+    const initialCanonicalUrl = validateURL(req.url)
 
     // Get the nonce from the incoming request if it has one.
     const csp = req.headers['content-security-policy']