[URIError]: URI malformed using middleware

[benji24290]

Verify canary release

• I verified that the issue exists in the latest Next.js canary release

Provide environment information

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 22.1.0: Sun Oct  9 20:15:09 PDT 2022; root:xnu-8792.41.9~2/RELEASE_ARM64_T6000
Binaries:
  Node: 16.18.0
  npm: 8.19.2
  Yarn: 1.22.19
  pnpm: N/A
Relevant packages:
  next: 13.0.4-canary.3
  eslint-config-next: 13.0.3
  react: 18.2.0
  react-dom: 18.2.0

What browser are you using? (if relevant)

No response

How are you deploying your application? (if relevant)

next start or next dev

Describe the Bug

If a cookie with an invalid character* is set in a Next project using middleware, the app crashes.
*an character that leads to an error in decodeURIComponent e.g. ö --> %6F

error - Error [URIError]: URI malformed
    at decodeURIComponent (<anonymous>)
    at parseCookieString (webpack-internal:///(middleware)/./node_modules/next/dist/esm/server/web/spec-extension/cookies/serialize.js:44:22)
    at new RequestCookies (webpack-internal:///(middleware)/./node_modules/next/dist/esm/server/web/spec-extension/cookies/request-cookies.js:15:89)
    at new NextRequest (webpack-internal:///(middleware)/./node_modules/next/dist/esm/server/web/spec-extension/request.js:21:22)
    at new NextRequestHint (webpack-internal:///(middleware)/./node_modules/next/dist/esm/server/web/adapter.js:30:9)
    at adapter (webpack-internal:///(middleware)/./node_modules/next/dist/esm/server/web/adapter.js:84:21)
    at __WEBPACK_DEFAULT_EXPORT__ (webpack-internal:///(middleware)/./node_modules/next/dist/build/webpack/loaders/next-middleware-loader.js?absolutePagePath=%2FUsers%2Fbeni%2Frepos%2Ftest-cookie%2Fmiddleware.ts&page=%2Fmiddleware&rootDir=%2FUsers%2Fbeni%2Frepos%2Ftest-cookie&matchers=!:19:180)
    at <unknown> (file:///Users/beni/repos/test-cookie/node_modules/next/dist/server/web/sandbox/sandbox.js:73:30)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async DevServer.runMiddleware (file:///Users/beni/repos/test-cookie/node_modules/next/dist/server/next-server.js:1122:24)

Expected Behavior

Error should be handled by parseCookieString and thereby prevent the app from crashing.

Link to reproduction - Issues with a link to complete (but minimal) reproduction code will be addressed faster

No link

To Reproduce

1. create new next project yarn create next-app --typescript
2. create a middleware in the root folder.

// middleware.ts
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";

// This function can be marked `async` if using `await` inside
export function middleware(request: NextRequest) {
	console.log("Hello from middleware");
	return NextResponse.redirect(new URL("/home", request.url));
}

// See "Matching Paths" below to learn more
export const config = {
	matcher: "/",
};

3. run the app yarn dev
4. add a cookie with an invalid char e.g. "%6F"
5. visit "localhost:3000"

[smonn]

Also encountering this, here is a repository reproducing the issue https://github.com/smonn/repro-nextjs-middleware-bug

[WavyWalk]

@balazsorban44 this problem still exists on next, if we have a middleware, and any cookie contains e.g. a%AFcasdw, it throws.

[topaxi]

We are also encountering this issue, we get a lot of reports of this happening through Sentry.

[piotrbienias-dna]

Me and my team also had a problem regarding the cookie value decoding. According to the Set-Cookie documentation:

Encoding: Many implementations perform URL encoding on cookie values. However, this is not required by the RFC specification. The URL encoding does help to satisfy the requirements of the characters allowed for .

Taking above into consideration is it ok to automatically perform cookie value decoding in parseCookieString?

map.set(key, decodeURIComponent(value ?? 'true'))

[github-actions]

This closed issue has been automatically locked because it had no new activity for a month. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.