From 52ce84e6c6c0232d6f2bbf1eea30ba019265d2cb Mon Sep 17 00:00:00 2001
From: Ben McCann <322311+benmccann@users.noreply.github.com>
Date: Sat, 12 Nov 2022 19:50:15 -0800
Subject: [PATCH] fix: don't throw on malformed URLs

---
 .../vite/src/node/__tests__/utils.spec.ts     |  9 ++++-
 packages/vite/src/node/utils.ts               | 34 +++++++++++--------
 2 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/packages/vite/src/node/__tests__/utils.spec.ts b/packages/vite/src/node/__tests__/utils.spec.ts
index 34ede1f5be2303..5e9d3e2f0c9858 100644
--- a/packages/vite/src/node/__tests__/utils.spec.ts
+++ b/packages/vite/src/node/__tests__/utils.spec.ts
@@ -7,7 +7,8 @@ import {
   injectQuery,
   isWindows,
   posToNumber,
-  resolveHostname
+  resolveHostname,
+  shouldServe
 } from '../utils'
 
 describe('injectQuery', () => {
@@ -236,3 +237,9 @@ describe('asyncFlatten', () => {
     expect(arr).toEqual([1, 2, 3, 4, 5, 6, 7, 8, 9])
   })
 })
+
+describe('shouldServe', () => {
+  test('returns false for malformed URLs', () => {
+    expect(shouldServe('/%c0%ae%c0%ae/etc/passwd', '/assets/dir')).toBe(false)
+  })
+})
diff --git a/packages/vite/src/node/utils.ts b/packages/vite/src/node/utils.ts
index 379e633e14591a..f2e811a874f014 100644
--- a/packages/vite/src/node/utils.ts
+++ b/packages/vite/src/node/utils.ts
@@ -1204,22 +1204,28 @@ export const isNonDriveRelativeAbsolutePath = (p: string): boolean => {
  * consistent behaviour between dev and prod and across operating systems.
  */
 export function shouldServe(url: string, assetsDir: string): boolean {
-  // viteTestUrl is set to something like http://localhost:4173/ and then many tests make calls
-  // like `await page.goto(viteTestUrl + '/example')` giving us URLs beginning with a double slash
-  const pathname = decodeURI(
-    new URL(url.startsWith('//') ? url.substring(1) : url, 'http://example.com')
-      .pathname
-  )
-  const file = path.join(assetsDir, pathname)
-  if (
-    !fs.existsSync(file) ||
-    (isCaseInsensitiveFS && // can skip case check on Linux
-      !fs.statSync(file).isDirectory() &&
-      !hasCorrectCase(file, assetsDir))
-  ) {
+  try {
+    // viteTestUrl is set to something like http://localhost:4173/ and then many tests make calls
+    // like `await page.goto(viteTestUrl + '/example')` giving us URLs beginning with a double slash
+    const pathname = decodeURI(
+      new URL(
+        url.startsWith('//') ? url.substring(1) : url,
+        'http://example.com'
+      ).pathname
+    )
+    const file = path.join(assetsDir, pathname)
+    if (
+      !fs.existsSync(file) ||
+      (isCaseInsensitiveFS && // can skip case check on Linux
+        !fs.statSync(file).isDirectory() &&
+        !hasCorrectCase(file, assetsDir))
+    ) {
+      return false
+    }
+    return true
+  } catch (err) {
     return false
   }
-  return true
 }
 
 /**