From b3220fe3221fed0861be4f18c5cd9354c9e317bf Mon Sep 17 00:00:00 2001
From: Shu Ding <g@shud.in>
Date: Wed, 8 Mar 2023 22:16:42 +0100
Subject: [PATCH] Validate `req.url` in renderer (#46923)

It's possible that the request is missing or having an invalid URL, and
got passed to the renderer.

Fixes NEXT-139.
---
 packages/next/src/server/app-render.tsx | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/packages/next/src/server/app-render.tsx b/packages/next/src/server/app-render.tsx
index cbfab2f33aa3e..4b9e53e594bb3 100644
--- a/packages/next/src/server/app-render.tsx
+++ b/packages/next/src/server/app-render.tsx
@@ -740,6 +740,18 @@ async function renderToString(element: React.ReactElement) {
   })
 }
 
+function validateURL(url: string | undefined): string {
+  if (!url) {
+    throw new Error('Invalid request URL')
+  }
+  try {
+    new URL(url, 'http://n')
+    return url
+  } catch {
+    throw new Error('Invalid request URL')
+  }
+}
+
 export async function renderToHTMLOrFlight(
   req: IncomingMessage,
   res: ServerResponse,
@@ -1750,8 +1762,7 @@ export async function renderToHTMLOrFlight(
       Uint8Array
     > = new TransformStream()
 
-    // TODO-APP: validate req.url as it gets passed to render.
-    const initialCanonicalUrl = req.url!
+    const initialCanonicalUrl = validateURL(req.url)
 
     // Get the nonce from the incoming request if it has one.
     const csp = req.headers['content-security-policy']