fix: Handle malformed pathnames in middleware (#1353)

Fixes #1351

Author: amannn

packages/next-intl/.size-limit.ts

@@ -27,7 +27,7 @@ const config: SizeLimitConfig = [
   },
   {
     path: 'dist/production/middleware.js',
-    limit: '9.61 KB'
+    limit: '9.625 KB'
   },
   {
     path: 'dist/production/routing.js',

packages/next-intl/src/middleware/middleware.test.tsx

@@ -1075,6 +1075,13 @@ describe('prefix-based routing', () => {
       );
     });
 
+    it('handles malformed urls', () => {
+      middleware(createMockRequest('/a%'));
+      middleware(createMockRequest('/en/a%'));
+      middleware(createMockRequest('/en/about/a%'));
+      expect(MockedNextResponse.next).toHaveBeenCalledTimes(3);
+    });
+
     describe('base path', () => {
       it('redirects non-prefixed requests for the default locale', () => {
         middleware(withBasePath(createMockRequest('/')));

packages/next-intl/src/middleware/middleware.tsx

@@ -41,8 +41,15 @@ export default function createMiddleware<
   };
 
   return function middleware(request: NextRequest) {
-    // Resolve potential foreign symbols (e.g. /ja/%E7%B4%84 → /ja/約))
-    const unsafeExternalPathname = decodeURI(request.nextUrl.pathname);
+    let unsafeExternalPathname: string;
+    try {
+      // Resolve potential foreign symbols (e.g. /ja/%E7%B4%84 → /ja/約))
+      unsafeExternalPathname = decodeURI(request.nextUrl.pathname);
+    } catch (e) {
+      // In case an invalid pathname is encountered, forward
+      // it to Next.js which in turn responds with a 400
+      return NextResponse.next();
+    }
 
     // Sanitize malicious URIs to prevent open redirect attacks due to
     // decodeURI doesn't escape encoded backslashes ('%5C' & '%5c')