From 2a61b5fdd444c4b6f47f0e0bfbafe0bd26789d68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kamil=20Og=C3=B3rek?= <kamil.ogorek@gmail.com>
Date: Fri, 23 Dec 2022 17:39:14 +0100
Subject: fix(ext/fetch): Guard against invalid URL before its used by reqwest
 (#17164)

---
 ext/fetch/lib.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'ext/fetch/lib.rs')

diff --git a/ext/fetch/lib.rs b/ext/fetch/lib.rs
index c19336e7d..ac71e2a3d 100644
--- a/ext/fetch/lib.rs
+++ b/ext/fetch/lib.rs
@@ -31,7 +31,7 @@ use deno_core::ResourceId;
 use deno_core::ZeroCopyBuf;
 use deno_tls::rustls::RootCertStore;
 use deno_tls::Proxy;
-use http::header::CONTENT_LENGTH;
+use http::{header::CONTENT_LENGTH, Uri};
 use reqwest::header::HeaderMap;
 use reqwest::header::HeaderName;
 use reqwest::header::HeaderValue;
@@ -252,6 +252,12 @@ where
       let permissions = state.borrow_mut::<FP>();
       permissions.check_net_url(&url, "fetch()")?;
 
+      // Make sure that we have a valid URI early, as reqwest's `RequestBuilder::send`
+      // internally uses `expect_uri`, which panics instead of returning a usable `Result`.
+      if url.as_str().parse::<Uri>().is_err() {
+        return Err(type_error("Invalid URL"));
+      }
+
       let mut request = client.request(method.clone(), url);
 
       let request_body_rid = if has_body {
-- 
cgit v1.2.3