fix: handle malformed URIs in prerequests (#28522)

cypress-io · Dec 14, 2023 · c9062f1 · c9062f1 · cypress-bot · Dec 14, 2023
1 parent 7bcb074
commit c9062f1
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 4 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -19,7 +19,7 @@
     "json"
   ],
   "editor.codeActionsOnSave": {
-    "source.fixAll.eslint": true
+    "source.fixAll.eslint": "explicit"
   },
   "typescript.tsdk": "node_modules/typescript/lib",
 

diff --git a/cli/CHANGELOG.md b/cli/CHANGELOG.md
@@ -5,6 +5,7 @@ _Released 12/19/2023 (PENDING)_
 
 **Bugfixes:**
 
+- Fixed a regression in [`13.6.1`](https://docs.cypress.io/guides/references/changelog/13.6.1) where a malformed URI would crash Cypress. Fixes [#28521](https://github.com/cypress-io/cypress/issues/28521).
 - Fixed a regression in [`12.4.0`](https://docs.cypress.io/guides/references/changelog/12.4.0) where erroneous `<br>` tags were displaying in error messages in the Command Log making them less readable. Fixes [#28452](https://github.com/cypress-io/cypress/issues/28452).
 
 ## 13.6.1

diff --git a/packages/proxy/lib/http/util/prerequests.ts b/packages/proxy/lib/http/util/prerequests.ts
@@ -94,6 +94,16 @@ class QueueMap<T> {
   }
 }
 
+const tryDecodeURI = (url: string) => {
+  // decodeURI can throw if the url is malformed
+  // in this case, we just return the original url
+  try {
+    return decodeURI(url)
+  } catch (e) {
+    return url
+  }
+}
+
 // This class' purpose is to match up incoming "requests" (requests from the browser received by the http proxy)
 // with "pre-requests" (events received by our browser extension indicating that the browser is about to make a request).
 // Because these come from different sources, they can be out of sync, arriving in either order.
@@ -148,7 +158,7 @@ export class PreRequests {
 
   addPending (browserPreRequest: BrowserPreRequest) {
     metrics.browserPreRequestsReceived++
-    const key = `${browserPreRequest.method}-${decodeURI(browserPreRequest.url)}`
+    const key = `${browserPreRequest.method}-${tryDecodeURI(browserPreRequest.url)}`
     const pendingRequest = this.pendingRequests.shift(key)
 
     if (pendingRequest) {
@@ -193,7 +203,7 @@ export class PreRequests {
   }
 
   addPendingUrlWithoutPreRequest (url: string) {
-    const key = `GET-${decodeURI(url)}`
+    const key = `GET-${tryDecodeURI(url)}`
     const pendingRequest = this.pendingRequests.shift(key)
 
     if (pendingRequest) {
@@ -236,7 +246,7 @@ export class PreRequests {
     const proxyRequestReceivedTimestamp = performance.now() + performance.timeOrigin
 
     metrics.proxyRequestsReceived++
-    const key = `${req.method}-${decodeURI(req.proxiedUrl)}`
+    const key = `${req.method}-${tryDecodeURI(req.proxiedUrl)}`
     const pendingPreRequest = this.pendingPreRequests.shift(key)
 
     if (pendingPreRequest) {

diff --git a/packages/server/test/integration/http_requests_spec.js b/packages/server/test/integration/http_requests_spec.js
@@ -1230,6 +1230,35 @@ describe('Routes', () => {
           expect(res.body).to.include('hello from bar!')
         })
       })
+
+      it('handles malformed URIs', function () {
+        this.timeout(1500)
+
+        nock(this.server.remoteStates.current().origin)
+        .get('/?foo=%A4')
+        .reply(200, 'hello from bar!', {
+          'Content-Type': 'text/html',
+        })
+
+        const requestPromise = this.rp({
+          url: 'http://www.github.com/?foo=%A4',
+          headers: {
+            'Accept-Encoding': 'identity',
+          },
+        })
+
+        this.networkProxy.addPendingBrowserPreRequest({
+          requestId: '1',
+          method: 'GET',
+          url: 'http://www.github.com/?foo=%A4',
+        })
+
+        return requestPromise.then((res) => {
+          expect(res.statusCode).to.eq(200)
+
+          expect(res.body).to.include('hello from bar!')
+        })
+      })
     })
 
     context('gzip', () => {