fix(ext/fetch): Guard against invalid URL before its used by reqwest (#17164)

2 files changed, 20 insertions, 1 deletions

diff --git a/cli/tests/unit/fetch_test.ts b/cli/tests/unit/fetch_test.ts
index b755e8ec9..500891e08 100644
--- a/cli/tests/unit/fetch_test.ts
+++ b/cli/tests/unit/fetch_test.ts
@@ -93,6 +93,19 @@ Deno.test(
   },
 );
 
+Deno.test(
+  { permissions: { net: true } },
+  async function fetchMalformedUriError() {
+    await assertRejects(
+      async () => {
+        const url = new URL("http://{{google/");
+        await fetch(url);
+      },
+      TypeError,
+    );
+  },
+);
+
 Deno.test({ permissions: { net: true } }, async function fetchJsonSuccess() {
   const response = await fetch("http://localhost:4545/assets/fixture.json");
   const json = await response.json();
diff --git a/ext/fetch/lib.rs b/ext/fetch/lib.rs
index c19336e7d..ac71e2a3d 100644
--- a/ext/fetch/lib.rs
+++ b/ext/fetch/lib.rs
@@ -31,7 +31,7 @@ use deno_core::ResourceId;
 use deno_core::ZeroCopyBuf;
 use deno_tls::rustls::RootCertStore;
 use deno_tls::Proxy;
-use http::header::CONTENT_LENGTH;
+use http::{header::CONTENT_LENGTH, Uri};
 use reqwest::header::HeaderMap;
 use reqwest::header::HeaderName;
 use reqwest::header::HeaderValue;
@@ -252,6 +252,12 @@ where
       let permissions = state.borrow_mut::<FP>();
       permissions.check_net_url(&url, "fetch()")?;
 
+      // Make sure that we have a valid URI early, as reqwest's `RequestBuilder::send`
+      // internally uses `expect_uri`, which panics instead of returning a usable `Result`.
+      if url.as_str().parse::<Uri>().is_err() {
+        return Err(type_error("Invalid URL"));
+      }
+
       let mut request = client.request(method.clone(), url);
 
       let request_body_rid = if has_body {