astro 5.16.2 → 5.16.3

package/dist/actions/runtime/server.d.ts

@@ -6,19 +6,20 @@ export * from './shared.js';
 export type ActionAccept = 'form' | 'json';
 export type ActionHandler<TInputSchema, TOutput> = TInputSchema extends z.ZodType ? (input: z.infer<TInputSchema>, context: ActionAPIContext) => MaybePromise<TOutput> : (input: any, context: ActionAPIContext) => MaybePromise<TOutput>;
 export type ActionReturnType<T extends ActionHandler<any, any>> = Awaited<ReturnType<T>>;
-declare const inferSymbol: unique symbol;
+export type InferKey = '__internalInfer';
 /**
  * Infers the type of an action's input based on its Zod schema
  *
  * @see https://docs.astro.build/en/reference/modules/astro-actions/#actioninputschema
  */
 export type ActionInputSchema<T extends ActionClient<any, any, any>> = T extends {
-    [inferSymbol]: any;
-} ? T[typeof inferSymbol] : never;
+    [key in InferKey]: any;
+} ? T[InferKey] : never;
 export type ActionClient<TOutput, TAccept extends ActionAccept | undefined, TInputSchema extends z.ZodType | undefined> = TInputSchema extends z.ZodType ? ((input: TAccept extends 'form' ? FormData : z.input<TInputSchema>) => Promise<SafeResult<z.input<TInputSchema> extends ErrorInferenceObject ? z.input<TInputSchema> : ErrorInferenceObject, Awaited<TOutput>>>) & {
     queryString: string;
     orThrow: (input: TAccept extends 'form' ? FormData : z.input<TInputSchema>) => Promise<Awaited<TOutput>>;
-    [inferSymbol]: TInputSchema;
+} & {
+    [key in InferKey]: TInputSchema;
 } : ((input?: any) => Promise<SafeResult<never, Awaited<TOutput>>>) & {
     orThrow: (input?: any) => Promise<Awaited<TOutput>>;
 };

package/dist/actions/runtime/server.js

@@ -20,7 +20,6 @@ import {
   isActionAPIContext
 } from "./utils.js";
 export * from "./shared.js";
-const inferSymbol = Symbol("#infer");
 function defineAction({
   accept,
   input: inputSchema,

package/dist/cli/infra/build-time-astro-version-provider.js

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "5.16.2";
+  version = "5.16.3";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/content/content-layer.js

@@ -164,7 +164,7 @@ ${contentConfig.error.message}`);
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "5.16.2") {
+    if (previousAstroVersion && previousAstroVersion !== "5.16.3") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -172,8 +172,8 @@ ${contentConfig.error.message}`);
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("5.16.2") {
-      await this.#store.metaStore().set("astro-version", "5.16.2");
+    if ("5.16.3") {
+      await this.#store.metaStore().set("astro-version", "5.16.3");
     }
     if (currentConfigDigest) {
       await this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/core/app/index.js

@@ -30,6 +30,7 @@ import { ensure404Route } from "../routing/astro-designed-error-pages.js";
 import { createDefaultRoutes } from "../routing/default.js";
 import { matchRoute } from "../routing/match.js";
 import { PERSIST_SYMBOL } from "../session.js";
+import { validateAndDecodePathname } from "../util/pathname.js";
 import { AppPipeline } from "./pipeline.js";
 import { deserializeManifest } from "./common.js";
 class App {
@@ -197,7 +198,7 @@ class App {
     const url = new URL(request.url);
     const pathname = prependForwardSlash(this.removeBase(url.pathname));
     try {
-      return decodeURI(pathname);
+      return validateAndDecodePathname(pathname);
     } catch (e) {
       this.getAdapterLogger().error(e.toString());
       return pathname;
@@ -218,7 +219,12 @@ class App {
     if (!pathname) {
       pathname = prependForwardSlash(this.removeBase(url.pathname));
     }
-    let routeData = matchRoute(decodeURI(pathname), this.#manifestData);
+    try {
+      pathname = validateAndDecodePathname(pathname);
+    } catch {
+      return void 0;
+    }
+    let routeData = matchRoute(pathname, this.#manifestData);
     if (!routeData) return void 0;
     if (allowPrerenderedRoutes) {
       return routeData;

package/dist/core/constants.js

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "5.16.2";
+const ASTRO_VERSION = "5.16.3";
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";
 const REWRITE_DIRECTIVE_HEADER_VALUE = "yes";

package/dist/core/dev/dev.js

@@ -22,7 +22,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "5.16.2";
+  const currentVersion = "5.16.3";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/messages.js

@@ -38,7 +38,7 @@ function serverStart({
   host,
   base
 }) {
-  const version = "5.16.2";
+  const version = "5.16.3";
   const localPrefix = `${dim("\u2503")} Local    `;
   const networkPrefix = `${dim("\u2503")} Network  `;
   const emptyPrefix = " ".repeat(11);
@@ -275,7 +275,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"5.16.2"}`
+        `v${"5.16.3"}`
       )} ${headline}`
     );
   }

package/dist/core/render-context.js

@@ -30,6 +30,7 @@ import { getParams, getProps, Slots } from "./render/index.js";
 import { isRoute404or500, isRouteExternalRedirect, isRouteServerIsland } from "./routing/match.js";
 import { copyRequest, getOriginPathname, setOriginPathname } from "./routing/rewrite.js";
 import { AstroSession } from "./session.js";
+import { validateAndDecodePathname } from "./util/pathname.js";
 const apiContextRoutesSymbol = Symbol.for("context.routes");
 class RenderContext {
   constructor(pipeline, locals, middleware, actions, pathname, request, routeData, status, clientAddress, cookies = new AstroCookies(request), params = getParams(routeData, pathname), url = RenderContext.#createNormalizedUrl(request.url), props = {}, partial = void 0, shouldInjectCspMetaTags = !!pipeline.manifest.csp, session = pipeline.manifest.sessionConfig ? new AstroSession(cookies, pipeline.manifest.sessionConfig, pipeline.runtimeMode) : void 0) {
@@ -53,10 +54,14 @@ class RenderContext {
   static #createNormalizedUrl(requestUrl) {
     const url = new URL(requestUrl);
     try {
-      url.pathname = decodeURI(url.pathname);
-    } finally {
-      return url;
+      url.pathname = validateAndDecodePathname(url.pathname);
+    } catch {
+      try {
+        url.pathname = decodeURI(url.pathname);
+      } catch {
+      }
     }
+    return url;
   }
   /**
    * A flag that tells the render content if the rewriting was triggered

package/dist/core/util/pathname.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Validates that a pathname is not multi-level encoded.
+ * Detects if a pathname contains encoding that was encoded again (e.g., %2561dmin where %25 decodes to %).
+ * This prevents double/triple encoding bypasses of security checks.
+ *
+ * @param pathname - The pathname to validate
+ * @returns The decoded pathname if valid
+ * @throws Error if multi-level encoding is detected
+ */
+export declare function validateAndDecodePathname(pathname: string): string;

package/dist/core/util/pathname.js

@@ -0,0 +1,17 @@
+function validateAndDecodePathname(pathname) {
+  let decoded;
+  try {
+    decoded = decodeURI(pathname);
+  } catch (_e) {
+    throw new Error("Invalid URL encoding");
+  }
+  const hasDecoding = decoded !== pathname;
+  const decodedStillHasEncoding = /%[0-9a-fA-F]{2}/.test(decoded);
+  if (hasDecoding && decodedStillHasEncoding) {
+    throw new Error("Multi-level URL encoding is not allowed");
+  }
+  return decoded;
+}
+export {
+  validateAndDecodePathname
+};

package/dist/vite-plugin-astro-server/request.js

@@ -1,5 +1,6 @@
 import { hasFileExtension } from "@astrojs/internal-helpers/path";
 import { appendForwardSlash, removeTrailingForwardSlash } from "../core/path.js";
+import { validateAndDecodePathname } from "../core/util/pathname.js";
 import { runWithErrorHandling } from "./controller.js";
 import { recordServerError } from "./error.js";
 import { handle500Response } from "./response.js";
@@ -18,9 +19,15 @@ async function handleRequest({
   if (config.trailingSlash === "never" && !incomingRequest.url) {
     pathname = "";
   } else {
-    pathname = decodeURI(url.pathname);
+    try {
+      pathname = validateAndDecodePathname(url.pathname);
+    } catch {
+      incomingResponse.writeHead(404, { "Content-Type": "text/plain" });
+      incomingResponse.end("Not Found");
+      return;
+    }
   }
-  url.pathname = removeTrailingForwardSlash(config.base) + decodeURI(url.pathname);
+  url.pathname = removeTrailingForwardSlash(config.base) + pathname;
   if (config.trailingSlash === "never") {
     url.pathname = removeTrailingForwardSlash(url.pathname);
   } else if (config.trailingSlash === "always" && !hasFileExtension(url.pathname)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "5.16.2",
+  "version": "5.16.3",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -155,8 +155,8 @@
     "zod-to-json-schema": "^3.25.0",
     "zod-to-ts": "^1.2.0",
     "@astrojs/markdown-remark": "6.3.9",
-    "@astrojs/internal-helpers": "0.7.5",
-    "@astrojs/telemetry": "3.3.0"
+    "@astrojs/telemetry": "3.3.0",
+    "@astrojs/internal-helpers": "0.7.5"
   },
   "optionalDependencies": {
     "sharp": "^0.34.0"
@@ -195,8 +195,8 @@
     "undici": "^6.22.0",
     "unified": "^11.0.5",
     "vitest": "^3.2.4",
-    "@astrojs/check": "0.9.6",
-    "astro-scripts": "0.0.14"
+    "astro-scripts": "0.0.14",
+    "@astrojs/check": "0.9.6"
   },
   "engines": {
     "node": "18.20.8 || ^20.3.0 || >=22.0.0",