fix: validate ORIGIN env var at startup

.changeset/dry-hornets-change.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/adapter-node': patch
+---
+
+fix: validate `ORIGIN` env var at startup

packages/adapter-node/src/handler.js

@@ -9,14 +9,16 @@ import { getRequest, setResponse, createReadableStream } from '@sveltejs/kit/nod
 import { Server } from 'SERVER';
 import { manifest, prerendered, base } from 'MANIFEST';
 import { env } from 'ENV';
-import { parse_as_bytes } from '../utils.js';
+import { parse_as_bytes, parse_origin } from '../utils.js';
 
 /* global ENV_PREFIX */
 /* global PRECOMPRESS */
 
 const server = new Server(manifest);
 
-const origin = env('ORIGIN', undefined);
+// parse_origin validates ORIGIN and throws descriptive errors for invalid values
+const origin = parse_origin(env('ORIGIN', undefined));
+
 const xff_depth = parseInt(env('XFF_DEPTH', '1'));
 const address_header = env('ADDRESS_HEADER', '').toLowerCase();
 const protocol_header = env('PROTOCOL_HEADER', '').toLowerCase();

packages/adapter-node/tests/utils.spec.ts

@@ -1,5 +1,5 @@
 import { expect, test, describe } from 'vitest';
-import { parse_as_bytes } from '../utils.js';
+import { parse_as_bytes, parse_origin } from '../utils.js';
 
 describe('parse_as_bytes', () => {
 	test.each([
@@ -14,3 +14,36 @@ describe('parse_as_bytes', () => {
 		expect(actual, `Testing input '${input}'`).toBe(expected);
 	});
 });
+
+describe('parse_origin', () => {
+	test.each([
+		['http://localhost:3000', 'http://localhost:3000'],
+		['https://example.com', 'https://example.com'],
+		['http://192.168.1.1:8080', 'http://192.168.1.1:8080'],
+		['https://my-site.com', 'https://my-site.com'],
+		['http://localhost', 'http://localhost'],
+		// Default ports are normalized by URL.origin per WHATWG URL standard
+		['https://example.com:443', 'https://example.com'],
+		['http://example.com:80', 'http://example.com'],
+		[undefined, undefined]
+	] as const)('normalizes %s to %s', (input, expected) => {
+		expect(parse_origin(input)).toBe(expected);
+	});
+
+	test.each([
+		['http://localhost:3000/path', 'http://localhost:3000'],
+		['http://localhost:3000?query=1', 'http://localhost:3000'],
+		['http://localhost:3000#hash', 'http://localhost:3000'],
+		['https://example.com/path/to/page', 'https://example.com'],
+		['https://example.com:443/path?query=1#hash', 'https://example.com']
+	] as const)('strips path/query/hash from %s to get %s', (input, expected) => {
+		expect(parse_origin(input)).toBe(expected);
+	});
+
+	test.each(['localhost:3000', 'example.com', '', '   ', 'ftp://localhost:3000'] as const)(
+		'throws error for invalid origin: %s',
+		(input) => {
+			expect(() => parse_origin(input)).toThrow('Invalid ORIGIN');
+		}
+	);
+});

packages/adapter-node/utils.js

@@ -13,3 +13,40 @@ export function parse_as_bytes(value) {
 		}[value[value.length - 1]?.toUpperCase()] ?? 1;
 	return Number(multiplier != 1 ? value.substring(0, value.length - 1) : value) * multiplier;
 }
+
+/**
+ * Parses and validates an origin URL.
+ *
+ * @param {string | undefined} value - Origin URL with http:// or https:// protocol
+ * @returns {string | undefined} The validated origin, or undefined if value is undefined
+ * @throws {Error} If value is provided but invalid
+ */
+export function parse_origin(value) {
+	if (value === undefined) {
+		return undefined;
+	}
+
+	const trimmed = value.trim();
+
+	let url;
+	try {
+		url = new URL(trimmed);
+	} catch (error) {
+		throw new Error(
+			`Invalid ORIGIN: '${trimmed}'. ` +
+				`ORIGIN must be a valid URL with http:// or https:// protocol. ` +
+				`For example: 'http://localhost:3000' or 'https://my.site'`,
+			{ cause: error }
+		);
+	}
+
+	if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+		throw new Error(
+			`Invalid ORIGIN: '${trimmed}'. ` +
+				`Only http:// and https:// protocols are supported. ` +
+				`Received protocol: ${url.protocol}`
+		);
+	}
+
+	return url.origin;
+}