fix: return 400 for requests with malformed percent-encoded URIs

thetutlage · thetutlage · commit e96808e1e94f · 2026-04-07T10:29:03.000+05:30
Catch URIError thrown by decodeURI() when the request URL contains invalid UTF-8 sequences (e.g. %C0%80) and respond with 400 instead of crashing the server. Expose a configurable onBadUrl callback for custom handling. Closes #118
diff --git a/src/define_config.ts b/src/define_config.ts
@@ -64,6 +64,10 @@ export function defineConfig(config: UserDefinedServerConfig): ServerConfig {
       secure: true,
       sameSite: 'lax' as const,
     },
+    onBadUrl(_req, res) {
+      res.writeHead(400, { 'Content-Type': 'text/plain' })
+      res.end('Bad Request')
+    },
     qs: {
       parse: {
         depth: 5,
diff --git a/src/server/main.ts b/src/server/main.ts
@@ -427,6 +427,22 @@ export class Server {
    * @returns Promise that resolves when request processing is complete
    */
   handle(req: IncomingMessage, res: ServerResponse) {
+    /**
+     * Reject requests with malformed URIs (e.g. invalid UTF-8
+     * percent-encoded sequences like %C0%80) before they
+     * enter the middleware pipeline.
+     */
+    let request: HttpRequest
+    try {
+      request = this.createRequest(req, res)
+    } catch (error) {
+      if (error instanceof URIError) {
+        this.#config.onBadUrl(req, res)
+        return
+      }
+      throw error
+    }
+
     /**
      * Setup for the "http:request_finished" event
      */
@@ -437,11 +453,7 @@ export class Server {
      * Creating essential instances
      */
     const resolver = this.#app.container.createResolver()
-    const ctx = this.createHttpContext(
-      this.createRequest(req, res),
-      this.createResponse(req, res),
-      resolver
-    )
+    const ctx = this.createHttpContext(request, this.createResponse(req, res), resolver)
 
     /**
      * Emit event when listening for the request_finished event
diff --git a/src/types/server.ts b/src/types/server.ts
@@ -7,6 +7,7 @@
  * file that was distributed with this source code.
  */
 
+import type { IncomingMessage, ServerResponse } from 'node:http'
 import type { Constructor } from '@poppinss/utils/types'
 import type { ErrorHandler, FinalHandler } from '@poppinss/middleware/types'
 
@@ -140,4 +141,14 @@ export type ServerConfig = RequestConfig &
      * @default 0 (as per Node.js defaults)
      */
     timeout?: number
+
+    /**
+     * A callback invoked when the request URI contains malformed
+     * percent-encoded sequences (e.g. `%C0%80`). The callback
+     * receives the raw Node.js request and response objects and
+     * is responsible for sending a response.
+     *
+     * Defaults to a plain-text `400 Bad Request` response.
+     */
+    onBadUrl: (req: IncomingMessage, res: ServerResponse) => void
   }
diff --git a/tests/safe_decode_uri.spec.ts b/tests/safe_decode_uri.spec.ts
@@ -44,6 +44,10 @@ test.group('Safe decode URI', () => {
     })
   })
 
+  test('throw URIError on malformed UTF-8 sequences', ({ assert }) => {
+    assert.throws(() => safeDecodeURI('/%C0%80', false), 'URI malformed')
+  })
+
   test('decode URI and parse query string params', ({ assert }) => {
     const { pathname, query } = safeDecodeURI(
       '/a/b/fran%C3%A7ais?a=b&c[0]=1&foo=fran%C3%A7ais',
diff --git a/tests/server.spec.ts b/tests/server.spec.ts
@@ -408,6 +408,48 @@ test.group('Server | Response handling', () => {
       slug: 'he/llo',
     })
   })
+
+  test('respond with 400 when request URI contains malformed UTF-8 sequences', async ({
+    assert,
+  }) => {
+    const app = new AppFactory().create(BASE_URL, () => {})
+    const server = new ServerFactory().merge({ app }).create()
+    const httpServer = createServer(server.handle.bind(server))
+
+    await app.init()
+
+    server.use([])
+    server.getRouter().get('/*', async () => 'handled')
+    await server.boot()
+
+    const { text } = await supertest(httpServer).get('/%C0%80').expect(400)
+    assert.equal(text, 'Bad Request')
+  })
+
+  test('invoke onBadUrl callback when defined and request URI is malformed', async ({ assert }) => {
+    const app = new AppFactory().create(BASE_URL, () => {})
+    const server = new ServerFactory()
+      .merge({
+        app,
+        config: {
+          onBadUrl(_req, res) {
+            res.writeHead(400, { 'Content-Type': 'application/json' })
+            res.end(JSON.stringify({ error: 'Invalid URL' }))
+          },
+        },
+      })
+      .create()
+    const httpServer = createServer(server.handle.bind(server))
+
+    await app.init()
+
+    server.use([])
+    server.getRouter().get('/*', async () => 'handled')
+    await server.boot()
+
+    const { body } = await supertest(httpServer).get('/%C0%80').expect(400)
+    assert.deepEqual(body, { error: 'Invalid URL' })
+  })
 })
 
 test.group('Server | middleware', () => {
