Fix handling of bad requests to prevent unnecessary 500 errors (#3432)

conico974 · Nicolas Dorseuil · web-flow · commit 5ca5da0f2170 · 2025-07-04T17:06:37.000+02:00
Co-authored-by: Nicolas Dorseuil &lt;nicolas@gitbook.io&gt;
diff --git a/packages/gitbook/src/components/SitePage/fetch.ts b/packages/gitbook/src/components/SitePage/fetch.ts
@@ -52,7 +52,8 @@ async function resolvePage(context: GitBookSiteContext, params: PagePathParams |
     }
 
     // We don't test path that are too long as GitBook doesn't support them and will return a 404 anyway.
-    if (rawPathname.length <= 512) {
+    // API has a limit of less than 512 characters for the source path, so we use the same limit here.
+    if (rawPathname.length < 512) {
         // Duplicated the regex pattern from SiteRedirectSourcePath API type.
         const SITE_REDIRECT_SOURCE_PATH_REGEX =
             /^\/(?:[A-Za-z0-9\-._~]|%[0-9A-Fa-f]{2})+(?:\/(?:[A-Za-z0-9\-._~]|%[0-9A-Fa-f]{2})+)*$/;
diff --git a/packages/gitbook/src/middleware.ts b/packages/gitbook/src/middleware.ts
@@ -81,6 +81,24 @@ async function validateServerActionRequest(request: NextRequest) {
     }
 }
 
+/**
+ * Filter malicious requests.
+ * @param requestURL The URL of the request to filter.
+ * @returns True if the request is malicious, false otherwise.
+ */
+function shouldFilterMaliciousRequests(requestURL: URL): boolean {
+    // We want to filter hostnames that contains a port here as this is likely a malicious request.
+    if (requestURL.host.includes(':')) {
+        return true;
+    }
+    // These requests will be rejected by the API anyway, we might as well do it right away.
+    if (requestURL.pathname.endsWith(';.jsp')) {
+        return true;
+    }
+
+    return false;
+}
+
 /**
  * Handle request that are targetting the site routes group.
  */
@@ -108,7 +126,7 @@ async function serveSiteRoutes(requestURL: URL, request: NextRequest) {
     }
 
     // We want to filter hostnames that contains a port here as this is likely a malicious request.
-    if (siteRequestURL.host.includes(':')) {
+    if (shouldFilterMaliciousRequests(siteRequestURL)) {
         return new Response('Invalid request', {
             status: 400,
             headers: { 'content-type': 'text/plain' },

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,8 @@ async function resolvePage(context: GitBookSiteContext, params: PagePathParams \|`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`// We don't test path that are too long as GitBook doesn't support them and will return a 404 anyway.`
`55`		`- if (rawPathname.length <= 512) {`
	`55`	`+ // API has a limit of less than 512 characters for the source path, so we use the same limit here.`
	`56`	`+ if (rawPathname.length < 512) {`
`56`	`57`	`// Duplicated the regex pattern from SiteRedirectSourcePath API type.`
`57`	`58`	`const SITE_REDIRECT_SOURCE_PATH_REGEX =`
`58`	`59`	`/^\/(?:[A-Za-z0-9\-._~]\|%[0-9A-Fa-f]{2})+(?:\/(?:[A-Za-z0-9\-._~]\|%[0-9A-Fa-f]{2})+)*$/;`