fix(server-actions): catch TypeError for malformed Origin header to prevent DoS#92747
Open
sleitor wants to merge 1 commit intovercel:canaryfrom
Open
fix(server-actions): catch TypeError for malformed Origin header to prevent DoS#92747sleitor wants to merge 1 commit intovercel:canaryfrom
sleitor wants to merge 1 commit intovercel:canaryfrom
Conversation
…revent DoS Fixes vercel#92703 Wrap `new URL(originHeader).host` in try/catch so a malformed Origin header (e.g. 'http://') does not throw an unhandled TypeError and cause a 500 response. Return a sentinel '__invalid_origin__' that fails host comparison, preserving CSRF protection.
Collaborator
|
Allow CI Workflow Run
Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer |
eps1lon
reviewed
Apr 14, 2026
Comment on lines
+627
to
+636
| : (() => { | ||
| try { | ||
| return new URL(originHeader).host | ||
| } catch { | ||
| // A malformed Origin header (e.g. 'http://') must NOT fall through | ||
| // to undefined/null — that would skip CSRF validation entirely. | ||
| // Return a sentinel that is guaranteed to fail host comparison. | ||
| return '__invalid_origin__' | ||
| } | ||
| })() |
Member
There was a problem hiding this comment.
The code should be refactored to avoid allocating an IIFE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #92703
Wrap
new URL(originHeader).hostin try/catch so a malformed Origin header (e.g.http://,ftp://,not-a-url) does not throw an unhandled TypeError and cause a 500 response.Problem
new URL('http://')throwsTypeError: Invalid URL, which propagates as an unhandled exception and returns a 500.Fix
Wrap in try/catch and return a sentinel value
'__invalid_origin__'on parse failure. The sentinel is guaranteed to fail the subsequent host comparison, so CSRF protection is preserved — malformed origins are treated as cross-origin requests, not bypasses.Behavior
http://valid.comnullhttp://not-a-url