From 2a61b5fdd444c4b6f47f0e0bfbafe0bd26789d68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Og=C3=B3rek?= Date: Fri, 23 Dec 2022 17:39:14 +0100 Subject: [PATCH] fix(ext/fetch): Guard against invalid URL before its used by reqwest (#17164) --- cli/tests/unit/fetch_test.ts | 13 +++++++++++++ ext/fetch/lib.rs | 8 +++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/cli/tests/unit/fetch_test.ts b/cli/tests/unit/fetch_test.ts index b755e8ec93..500891e08c 100644 --- a/cli/tests/unit/fetch_test.ts +++ b/cli/tests/unit/fetch_test.ts @@ -93,6 +93,19 @@ Deno.test( }, ); +Deno.test( + { permissions: { net: true } }, + async function fetchMalformedUriError() { + await assertRejects( + async () => { + const url = new URL("http://{{google/"); + await fetch(url); + }, + TypeError, + ); + }, +); + Deno.test({ permissions: { net: true } }, async function fetchJsonSuccess() { const response = await fetch("http://localhost:4545/assets/fixture.json"); const json = await response.json(); diff --git a/ext/fetch/lib.rs b/ext/fetch/lib.rs index c19336e7de..ac71e2a3da 100644 --- a/ext/fetch/lib.rs +++ b/ext/fetch/lib.rs @@ -31,7 +31,7 @@ use deno_core::ResourceId; use deno_core::ZeroCopyBuf; use deno_tls::rustls::RootCertStore; use deno_tls::Proxy; -use http::header::CONTENT_LENGTH; +use http::{header::CONTENT_LENGTH, Uri}; use reqwest::header::HeaderMap; use reqwest::header::HeaderName; use reqwest::header::HeaderValue; @@ -252,6 +252,12 @@ where let permissions = state.borrow_mut::(); permissions.check_net_url(&url, "fetch()")?; + // Make sure that we have a valid URI early, as reqwest's `RequestBuilder::send` + // internally uses `expect_uri`, which panics instead of returning a usable `Result`. + if url.as_str().parse::().is_err() { + return Err(type_error("Invalid URL")); + } + let mut request = client.request(method.clone(), url); let request_body_rid = if has_body {