Skip to content

fix: guard decodeURIComponent against malformed percent-encoding in browser relay#11880

Closed
Yida-Dev wants to merge 1 commit intoopenclaw:mainfrom
Yida-Dev:fix/extension-relay-decode-uri
Closed

fix: guard decodeURIComponent against malformed percent-encoding in browser relay#11880
Yida-Dev wants to merge 1 commit intoopenclaw:mainfrom
Yida-Dev:fix/extension-relay-decode-uri

Conversation

@Yida-Dev
Copy link
Contributor

@Yida-Dev Yida-Dev commented Feb 8, 2026
edited by greptile-apps bot
Loading

Summary

  • decodeURIComponent throws URIError on malformed percent-encoded input (e.g. %E0%A4%A)
  • In extension-relay.ts, decodeURIComponent is called inside a bare createServer request handler with no surrounding try-catch — a crafted URL like /json/activate/%E0%A4%A crashes the HTTP server
  • In dispatcher.ts, decodeURIComponent is called before the route handler's try-catch block (line 108), so the error propagates as an unhandled rejection
  • Wraps all three callsites in try-catch blocks that return appropriate 400 error responses

Test plan

  • All 169 browser tests pass (28 test files)
  • Minimal change — only adds error handling around existing decodeURIComponent calls

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

Greptile Overview

Greptile Summary

This PR hardens the browser-side routing/relay code against decodeURIComponent throwing URIError on malformed percent-encoded path segments.

  • In src/browser/extension-relay.ts, the /json/activate/:id and /json/close/:id handlers now wrap decodeURIComponent(...) in a try/catch and return an HTTP 400 with a clear error message instead of letting a crafted URL crash the HTTP server.
  • In src/browser/routes/dispatcher.ts, route param decoding is now guarded similarly; malformed path parameters return a { status: 400, body: { error: ... } } response before the route handler runs.

These changes fit cleanly into the existing request/dispatch flow and are localized to the existing decode callsites.

Confidence Score: 5/5

  • This PR appears safe to merge with minimal risk.
  • Changes are tightly scoped to guarding decodeURIComponent callsites with try/catch and returning 400s on invalid percent-encoding; no control-flow regressions were found in the edited handlers/dispatcher path and behavior is consistent with existing response patterns.
  • No files require special attention

@claude
fix: guard decodeURIComponent calls against malformed percent-encoding
b3771e3 
decodeURIComponent throws URIError on malformed percent-encoded input
(e.g. %E0%A4%A). In extension-relay.ts, this happens inside a bare
HTTP request handler with no surrounding try-catch, causing the server
to crash. In dispatcher.ts, the call is before the route handler's
try-catch block, so the error propagates as an unhandled rejection.

Wrap all three callsites in try-catch blocks that return 400 responses
for invalid input, preventing server crashes from crafted URLs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openclaw-barnacle
Copy link

openclaw-barnacle bot commented Feb 21, 2026

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

@openclaw-barnacle openclaw-barnacle bot added stale Marked as stale due to inactivity and removed stale Marked as stale due to inactivity labels Feb 21, 2026
steipete added a commit that referenced this pull request Feb 26, 2026
@steipete
fix(browser): land PR #11880 decodeURIComponent guardrails
79659b2 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR #11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
@steipete
Copy link
Contributor

steipete commented Feb 26, 2026

Landed on main via 79659b2b1.

What landed:

SHA mapping:

  • original PR commit: b3771e37e7aa14648724695dbd699aabdf01ba21
  • landed commit: 79659b2b1

Thanks for the fix, @Yida-Dev.

@steipete steipete closed this Feb 26, 2026
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 27, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
8a38bf0 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 27, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
aa14db1 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
(cherry picked from commit 8a38bf0)
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 27, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
a507dac 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
(cherry picked from commit 8a38bf0)
@gemini-code-assist gemini-code-assist bot mentioned this pull request Feb 27, 2026
Merged
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 27, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
46fcac6 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
(cherry picked from commit 8a38bf0)
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 27, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
f01b349 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
(cherry picked from commit 8a38bf0)
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 27, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
cc92eea 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
(cherry picked from commit 8a38bf0)
execute008 pushed a commit to execute008/openclaw that referenced this pull request Feb 27, 2026
@steipete @execute008
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
7e2fcb1 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
r4jiv007 pushed a commit to r4jiv007/openclaw that referenced this pull request Feb 28, 2026
@steipete @r4jiv007
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
ed38b7f 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
mylukin pushed a commit to mylukin/openclaw that referenced this pull request Feb 28, 2026
@steipete @mylukin
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
8d797b2 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 28, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
5440889 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
(cherry picked from commit 8a38bf0)
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 28, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
03c2a32 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
(cherry picked from commit 8a38bf0)
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 28, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
4ee27c3 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
(cherry picked from commit 8a38bf0)
wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request Feb 28, 2026
@steipete @wanjizheng
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
bad6e75 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
(cherry picked from commit 8a38bf0)
vincentkoc pushed a commit to Sid-Qin/openclaw that referenced this pull request Feb 28, 2026
@steipete @vincentkoc
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
f0b70c0 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
vincentkoc pushed a commit to rylena/rylen-openclaw that referenced this pull request Feb 28, 2026
@steipete @vincentkoc
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
7b924e8 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
steipete added a commit to Sid-Qin/openclaw that referenced this pull request Mar 2, 2026
@steipete
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
a244458 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
robertchang-ga pushed a commit to robertchang-ga/openclaw that referenced this pull request Mar 2, 2026
@steipete
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
568c131 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
dorgonman pushed a commit to kanohorizonia/openclaw that referenced this pull request Mar 3, 2026
@steipete @dorgonman
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
e6246e1 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
zooqueen pushed a commit to hanzoai/bot that referenced this pull request Mar 6, 2026
@steipete
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
eeabbe5 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
thebenjaminlee pushed a commit to escape-velocity-ventures/openclaw that referenced this pull request Mar 7, 2026
@steipete @thebenjaminlee
fix(browser): land PR openclaw#11880 decodeURIComponent guardrails
85075d5 
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR openclaw#11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Yida-Dev @steipete