fix(ext/fetch): Guard against invalid URL before its used by reqwest (#17164)

2024-11-21 15:04:11 -05:00 · 2022-12-23 17:39:14 +01:00 · 2022-12-23 17:39:14 +01:00 · 2a61b5fdd4
commit 2a61b5fdd4
parent e58cdbcb4b
2 changed files with 20 additions and 1 deletions
--- a/cli/tests/unit/fetch_test.ts
+++ b/cli/tests/unit/fetch_test.ts
@ -93,6 +93,19 @@ Deno.test(
  },
 );

+Deno.test(
+  { permissions: { net: true } },
+  async function fetchMalformedUriError() {
+    await assertRejects(
+      async () => {
+        const url = new URL("http://{{google/");
+        await fetch(url);
+      },
+      TypeError,
+    );
+  },
+);
+
 Deno.test({ permissions: { net: true } }, async function fetchJsonSuccess() {
  const response = await fetch("http://localhost:4545/assets/fixture.json");
  const json = await response.json();
--- a/ext/fetch/lib.rs
+++ b/ext/fetch/lib.rs
@ -31,7 +31,7 @@ use deno_core::ResourceId;
 use deno_core::ZeroCopyBuf;
 use deno_tls::rustls::RootCertStore;
 use deno_tls::Proxy;
-use http::header::CONTENT_LENGTH;
+use http::{header::CONTENT_LENGTH, Uri};
 use reqwest::header::HeaderMap;
 use reqwest::header::HeaderName;
 use reqwest::header::HeaderValue;
@ -252,6 +252,12 @@ where
      let permissions = state.borrow_mut::<FP>();
      permissions.check_net_url(&url, "fetch()")?;

+      // Make sure that we have a valid URI early, as reqwest's `RequestBuilder::send`
+      // internally uses `expect_uri`, which panics instead of returning a usable `Result`.
+      if url.as_str().parse::<Uri>().is_err() {
+        return Err(type_error("Invalid URL"));
+      }
+
      let mut request = client.request(method.clone(), url);

      let request_body_rid = if has_body {