diff --git a/tests/e2e/edge-middleware.test.ts b/tests/e2e/edge-middleware.test.ts index daea8e5d25..68362a1a6b 100644 --- a/tests/e2e/edge-middleware.test.ts +++ b/tests/e2e/edge-middleware.test.ts @@ -216,3 +216,19 @@ test.describe('Middleware with i18n and excluded paths', () => { }) }) }) + +test("requests with x-middleware-subrequest don't skip middleware (GHSA-f82v-jwr5-mffw)", async ({ + middlewareSubrequestVuln, +}) => { + const response = await fetch(`${middlewareSubrequestVuln.url}`, { + headers: { + 'x-middleware-subrequest': 'middleware:middleware:middleware:middleware:middleware', + }, + }) + + // middleware was not skipped + expect(response.headers.get('x-test-used-middleware')).toBe('true') + + // ensure we are testing version before the fix for self hosted + expect(response.headers.get('x-test-used-next-version')).toBe('15.2.2') +}) diff --git a/tests/fixtures/middleware-subrequest-vuln/app/[[...wildcard]]/page.js b/tests/fixtures/middleware-subrequest-vuln/app/[[...wildcard]]/page.js new file mode 100644 index 0000000000..301667dbf4 --- /dev/null +++ b/tests/fixtures/middleware-subrequest-vuln/app/[[...wildcard]]/page.js @@ -0,0 +1,7 @@ +export default function Home() { + return ( +
+

Hi

+
+ ) +} diff --git a/tests/fixtures/middleware-subrequest-vuln/app/layout.js b/tests/fixtures/middleware-subrequest-vuln/app/layout.js new file mode 100644 index 0000000000..6565e7bafd --- /dev/null +++ b/tests/fixtures/middleware-subrequest-vuln/app/layout.js @@ -0,0 +1,12 @@ +export const metadata = { + title: 'Simple Next App', + description: 'Description for Simple Next App', +} + +export default function RootLayout({ children }) { + return ( + + {children} + + ) +} diff --git a/tests/fixtures/middleware-subrequest-vuln/middleware.ts b/tests/fixtures/middleware-subrequest-vuln/middleware.ts new file mode 100644 index 0000000000..c91447b69a --- /dev/null +++ b/tests/fixtures/middleware-subrequest-vuln/middleware.ts @@ -0,0 +1,13 @@ +import { NextResponse } from 'next/server' +import { NextRequest } from 'next/server' + +import packageJson from 'next/package.json' + +export async function middleware(request: NextRequest) { + const response = NextResponse.next() + + response.headers.set('x-test-used-middleware', 'true') + response.headers.set('x-test-used-next-version', packageJson.version) + + return response +} diff --git a/tests/fixtures/middleware-subrequest-vuln/next.config.js b/tests/fixtures/middleware-subrequest-vuln/next.config.js new file mode 100644 index 0000000000..9d94510be1 --- /dev/null +++ b/tests/fixtures/middleware-subrequest-vuln/next.config.js @@ -0,0 +1,9 @@ +/** @type {import('next').NextConfig} */ +const nextConfig = { + output: 'standalone', + eslint: { + ignoreDuringBuilds: true, + }, +} + +module.exports = nextConfig diff --git a/tests/fixtures/middleware-subrequest-vuln/package.json b/tests/fixtures/middleware-subrequest-vuln/package.json new file mode 100644 index 0000000000..551b0e481b --- /dev/null +++ b/tests/fixtures/middleware-subrequest-vuln/package.json @@ -0,0 +1,20 @@ +{ + "name": "middleware-subrequest-vuln", + "version": "0.1.0", + "private": true, + "scripts": { + "postinstall": "next build", + "dev": "next dev", + "build": "next build" + }, + "dependencies": { + "next": "15.2.2", + "react": "18.2.0", + "react-dom": "18.2.0" + }, + "test": { + "dependencies": { + "next": "15.2.2" + } + } +} diff --git a/tests/utils/create-e2e-fixture.ts b/tests/utils/create-e2e-fixture.ts index 6da96f0448..b133e6bc25 100644 --- a/tests/utils/create-e2e-fixture.ts +++ b/tests/utils/create-e2e-fixture.ts @@ -333,6 +333,7 @@ export const fixtureFactories = { pnpm: () => createE2EFixture('pnpm', { packageManger: 'pnpm' }), bun: () => createE2EFixture('simple', { packageManger: 'bun' }), middleware: () => createE2EFixture('middleware'), + middlewareSubrequestVuln: () => createE2EFixture('middleware-subrequest-vuln'), middlewareI18nExcludedPaths: () => createE2EFixture('middleware-i18n-excluded-paths'), middlewareOg: () => createE2EFixture('middleware-og'), middlewarePages: () => createE2EFixture('middleware-pages'),