vinext 0.0.10 → 0.0.12

package/dist/index.js

@@ -10,7 +10,7 @@ import { generateSafeRegExpCode, generateMiddlewareMatcherCode, generateNormaliz
 import { normalizePath } from "./server/normalize-path.js";
 import { findInstrumentationFile, runInstrumentation } from "./server/instrumentation.js";
 import { validateDevRequest } from "./server/dev-origin-check.js";
-import { safeRegExp, isExternalUrl, proxyExternalRequest } from "./config/config-matchers.js";
+import { safeRegExp, escapeHeaderSource, isExternalUrl, proxyExternalRequest } from "./config/config-matchers.js";
 import { scanMetadataFiles } from "./server/metadata-routes.js";
 import tsconfigPaths from "vite-tsconfig-paths";
 import MagicString from "magic-string";
@@ -577,7 +577,11 @@ export async function runMiddleware(request) {
 
   // Normalize pathname before matching to prevent path-confusion bypasses
   // (percent-encoding like /%61dmin, double slashes like /dashboard//settings).
-  var normalizedPathname = __normalizePath(decodeURIComponent(url.pathname));
+  var decodedPathname;
+  try { decodedPathname = decodeURIComponent(url.pathname); } catch (e) {
+    return { continue: false, response: new Response("Bad Request", { status: 400 }) };
+  }
+  var normalizedPathname = __normalizePath(decodedPathname);
 
   if (!matchesMiddleware(normalizedPathname, matcher)) return { continue: true };
 
@@ -896,7 +900,8 @@ function parseCookieLocaleFromHeader(cookieHeader) {
   if (!i18nConfig || !cookieHeader) return null;
   const match = cookieHeader.match(/(?:^|;\\s*)NEXT_LOCALE=([^;]*)/);
   if (!match) return null;
-  const value = decodeURIComponent(match[1].trim());
+  var value;
+  try { value = decodeURIComponent(match[1].trim()); } catch (e) { return null; }
   if (i18nConfig.locales.indexOf(value) !== -1) return value;
   return null;
 }
@@ -1115,7 +1120,7 @@ export async function renderPage(request, url, manifest) {
       if (result && result.props) pageProps = result.props;
       if (result && result.redirect) {
         var gsspStatus = result.redirect.statusCode != null ? result.redirect.statusCode : (result.redirect.permanent ? 308 : 307);
-        return new Response(null, { status: gsspStatus, headers: { Location: result.redirect.destination } });
+        return new Response(null, { status: gsspStatus, headers: { Location: sanitizeDestinationLocal(result.redirect.destination) } });
       }
       if (result && result.notFound) {
         return new Response("404", { status: 404 });
@@ -1174,7 +1179,7 @@ export async function renderPage(request, url, manifest) {
       if (result && result.props) pageProps = result.props;
       if (result && result.redirect) {
         var gspStatus = result.redirect.statusCode != null ? result.redirect.statusCode : (result.redirect.permanent ? 308 : 307);
-        return new Response(null, { status: gspStatus, headers: { Location: result.redirect.destination } });
+        return new Response(null, { status: gspStatus, headers: { Location: sanitizeDestinationLocal(result.redirect.destination) } });
       }
       if (result && result.notFound) {
         return new Response("404", { status: 404 });
@@ -1395,6 +1400,9 @@ ${middlewareExportCode}
         const loaderEntries = pageRoutes.map((r) => {
             const absPath = r.filePath.replace(/\\/g, "/");
             const nextFormatPattern = pagesPatternToNextFormat(r.pattern);
+            // JSON.stringify safely escapes quotes, backslashes, and special chars in
+            // both the route pattern and the absolute file path.
+            // lgtm[js/bad-code-sanitization]
             return `  ${JSON.stringify(nextFormatPattern)}: () => import(${JSON.stringify(absPath)})`;
         });
         const appFileBase = path.join(pagesDir, "_app").replace(/\\/g, "/");
@@ -2183,7 +2191,15 @@ hydrate();
                             // Normalize the pathname to prevent path-confusion attacks.
                             // decodeURIComponent prevents /%61dmin bypassing /admin matchers.
                             // normalizePath collapses // and resolves . / .. segments.
-                            pathname = normalizePath(decodeURIComponent(pathname));
+                            try {
+                                pathname = normalizePath(decodeURIComponent(pathname));
+                            }
+                            catch {
+                                // Malformed percent-encoding (e.g. /%E0%A4%A) — return 400 instead of crashing.
+                                res.writeHead(400);
+                                res.end("Bad Request");
+                                return;
+                            }
                             // Strip basePath prefix from URL for route matching.
                             // All internal routing uses basePath-free paths.
                             //
@@ -2990,6 +3006,29 @@ function getNextPublicEnvDefines() {
     }
     return defines;
 }
+/**
+ * If the current position in `str` starts with a parenthesized group, consume
+ * it and advance `re.lastIndex` past the closing `)`. Returns the group
+ * contents or null if no group is present.
+ */
+function extractConstraint(str, re) {
+    if (str[re.lastIndex] !== "(")
+        return null;
+    const start = re.lastIndex + 1;
+    let depth = 1;
+    let i = start;
+    while (i < str.length && depth > 0) {
+        if (str[i] === "(")
+            depth++;
+        else if (str[i] === ")")
+            depth--;
+        i++;
+    }
+    if (depth !== 0)
+        return null;
+    re.lastIndex = i;
+    return str.slice(start, i - 1);
+}
 /**
  * Match a Next.js route pattern (e.g. "/blog/:slug", "/docs/:path*") against a pathname.
  * Returns matched params or null.
@@ -3016,28 +3055,44 @@ export function matchConfigPattern(pathname, pattern) {
             // :param* -> (.*)
             // :param+ -> (.+)
             const paramNames = [];
-            const regexStr = pattern
-                .replace(/\./g, "\\.")
-                // :param* with optional constraint
-                .replace(/:(\w+)\*(?:\(([^)]+)\))?/g, (_m, name, constraint) => {
-                paramNames.push(name);
-                return constraint ? `(${constraint})` : "(.*)";
-            })
-                // :param+ with optional constraint
-                .replace(/:(\w+)\+(?:\(([^)]+)\))?/g, (_m, name, constraint) => {
-                paramNames.push(name);
-                return constraint ? `(${constraint})` : "(.+)";
-            })
-                // :param(constraint) — named param with inline regex constraint
-                .replace(/:(\w+)\(([^)]+)\)/g, (_m, name, constraint) => {
-                paramNames.push(name);
-                return `(${constraint})`;
-            })
-                // :param — plain named param
-                .replace(/:(\w+)/g, (_m, name) => {
-                paramNames.push(name);
-                return "([^/]+)";
-            });
+            // Single-pass conversion with procedural suffix handling. The tokenizer
+            // matches only simple, non-overlapping tokens; quantifier/constraint
+            // suffixes after :param are consumed procedurally to avoid polynomial
+            // backtracking in the regex engine.
+            let regexStr = "";
+            const tokenRe = /:(\w+)|[.]|[^:.]+/g; // lgtm[js/redos] — alternatives are non-overlapping (`:` and `.` excluded from `[^:.]+`)
+            let tok;
+            while ((tok = tokenRe.exec(pattern)) !== null) {
+                if (tok[1] !== undefined) {
+                    const name = tok[1];
+                    const rest = pattern.slice(tokenRe.lastIndex);
+                    // Check for quantifier (* or +) with optional constraint
+                    if (rest.startsWith("*") || rest.startsWith("+")) {
+                        const quantifier = rest[0];
+                        tokenRe.lastIndex += 1;
+                        const constraint = extractConstraint(pattern, tokenRe);
+                        paramNames.push(name);
+                        if (constraint !== null) {
+                            regexStr += `(${constraint})`;
+                        }
+                        else {
+                            regexStr += quantifier === "*" ? "(.*)" : "(.+)";
+                        }
+                    }
+                    else {
+                        // Check for inline constraint without quantifier
+                        const constraint = extractConstraint(pattern, tokenRe);
+                        paramNames.push(name);
+                        regexStr += constraint !== null ? `(${constraint})` : "([^/]+)";
+                    }
+                }
+                else if (tok[0] === ".") {
+                    regexStr += "\\.";
+                }
+                else {
+                    regexStr += tok[0];
+                }
+            }
             const re = safeRegExp("^" + regexStr + "$");
             if (!re)
                 return null;
@@ -3067,7 +3122,12 @@ export function matchConfigPattern(pathname, pattern) {
         if (isPlus && (!rest || rest === "/"))
             return null;
         // For :path* zero segments is fine
-        return { [paramName]: rest.startsWith("/") ? rest.slice(1) : rest };
+        let restValue = rest.startsWith("/") ? rest.slice(1) : rest;
+        try {
+            restValue = decodeURIComponent(restValue);
+        }
+        catch { /* malformed percent-encoding */ }
+        return { [paramName]: restValue };
     }
     // Simple segment-based matching for exact patterns and :param
     const parts = pattern.split("/");
@@ -3086,14 +3146,14 @@ export function matchConfigPattern(pathname, pattern) {
     return params;
 }
 /**
- * Sanitize a redirect/rewrite destination by collapsing leading // to /
- * for non-external URLs, preventing unintended protocol-relative redirects.
+ * Sanitize a redirect/rewrite destination by collapsing leading slashes and
+ * backslashes to a single "/" for non-external URLs. Browsers interpret "\"
+ * as "/" in URL contexts, so "\/evil.com" becomes "//evil.com" (protocol-relative).
  */
 function sanitizeDestinationLocal(dest) {
     if (dest.startsWith("http://") || dest.startsWith("https://"))
         return dest;
-    if (dest.startsWith("//"))
-        dest = dest.replace(/^\/\/+/, "/");
+    dest = dest.replace(/^[\\/]+/, "/");
     return dest;
 }
 /**
@@ -3204,24 +3264,7 @@ function applyRewrites(pathname, rewrites) {
  */
 function applyHeaders(pathname, res, headers) {
     for (const rule of headers) {
-        // Escape regex metacharacters in the source, then convert Next.js patterns.
-        // Strategy: extract regex groups first, process the rest, then restore groups.
-        const groups = [];
-        const withPlaceholders = rule.source.replace(/\(([^)]+)\)/g, (_m, inner) => {
-            groups.push(inner);
-            return `___GROUP_${groups.length - 1}___`;
-        });
-        const escaped = withPlaceholders
-            // Escape dots and other metacharacters
-            .replace(/\./g, "\\.")
-            .replace(/\+/g, "\\+")
-            .replace(/\?/g, "\\?")
-            // Convert glob * to .*
-            .replace(/\*/g, ".*")
-            // Convert :param to [^/]+
-            .replace(/:\w+/g, "[^/]+")
-            // Restore regex groups (contents are untouched)
-            .replace(/___GROUP_(\d+)___/g, (_m, idx) => `(${groups[Number(idx)]})`);
+        const escaped = escapeHeaderSource(rule.source);
         const sourceRegex = safeRegExp("^" + escaped + "$");
         if (sourceRegex && sourceRegex.test(pathname)) {
             for (const header of rule.headers) {