fix: properly handle invalid URLs in router

Resolves #668

Author: kitsonk

router.ts

@@ -67,6 +67,7 @@ import {
   type TokensToRegexpOptions,
 } from "./deps.ts";
 import { compose, type Middleware } from "./middleware.ts";
+import { decode } from "./utils/decode.ts";
 import { decodeComponent } from "./utils/decode_component.ts";
 
 interface Matches<R extends string> {
@@ -1299,8 +1300,7 @@ export class Router<
       } catch (e) {
         return Promise.reject(e);
       }
-      const path = this.#opts.routerPath ?? ctx.routerPath ??
-        decodeURI(pathname);
+      const path = this.#opts.routerPath ?? ctx.routerPath ?? decode(pathname);
       const matches = this.#match(path, method);
 
       if (ctx.matched) {

utils/decode.test.ts

@@ -0,0 +1,20 @@
+// Copyright 2018-2024 the oak authors. All rights reserved. MIT license.
+
+import { assert, isHttpError } from "../deps.ts";
+import { assertEquals } from "../deps_test.ts";
+import { decode } from "./decode.ts";
+
+Deno.test({
+  name: "decodeComponent - throws HTTP error",
+  fn() {
+    try {
+      decode("%");
+    } catch (err) {
+      assert(isHttpError(err));
+      assertEquals(err.status, 400);
+      assertEquals(err.expose, false);
+      return;
+    }
+    throw Error("unaccessible code");
+  },
+});

utils/decode.ts

@@ -0,0 +1,18 @@
+// Copyright 2018-2024 the oak authors. All rights reserved. MIT license.
+
+import { createHttpError } from "../deps.ts";
+
+/**
+ * Safely decode a URI component, where if it fails, instead of throwing,
+ * just returns the original string
+ */
+export function decode(pathname: string): string {
+  try {
+    return decodeURI(pathname);
+  } catch (err) {
+    if (err instanceof URIError) {
+      throw createHttpError(400, "Failed to decode URI", { expose: false });
+    }
+    throw err;
+  }
+}