fix: better handler malformed paths

[Cherry]

Fixes #7611

This more gracefully handles malformed URLs and simply throws a 404 on them instead of the entire Worker throwing an exception.

---

• Tests
  • TODO (before merge)
  • Tests included
  • Tests not necessary because:
• E2E Tests CI Job required? (Use "e2e" label or ask maintainer to run separately)
  • I don't know
  • Required
  • Not required because:
• Public documentation
  • TODO (before merge)
  • Cloudflare docs PR(s):
  • Documentation not necessary because:

[changeset-bot]

🦋 Changeset detected

Latest commit: 672c33b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@cloudflare/workers-shared	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

A wrangler prerelease is available for testing. You can install this latest build in your project with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-wrangler-7612

You can reference the automatically updated head of this PR with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/7612/npm-package-wrangler-7612

Or you can use npx with this latest build directly:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-wrangler-7612 dev path/to/script.js

Additional artifacts:

wget https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workers-bindings-extension-7612 -O ./cloudflare-workers-bindings-extension.0.0.0-v7d18629c4.vsix && code --install-extension ./cloudflare-workers-bindings-extension.0.0.0-v7d18629c4.vsix

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-create-cloudflare-7612 --no-auto-update

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-kv-asset-handler-7612

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-miniflare-7612

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-pages-shared-7612

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-unenv-preset-7612

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-vitest-pool-workers-7612

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workers-editor-shared-7612

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workers-shared-7612

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/12521566264/npm-package-cloudflare-workflows-shared-7612

Note that these links will no longer work once the GitHub Actions artifact expires.

---

[email protected] includes the following runtime dependencies:

Package	Constraint	Resolved
miniflare	workspace:*	3.20241218.0
workerd	1.20241218.0	1.20241218.0
workerd --version	1.20241218.0	2024-12-18

Please ensure constraints are pinned, and miniflare/workerd minor versions match.

[petebacondarwin]

I am not sure how this can happen in practice - i.e. whether it is possible to access a real asset via a malformed URL segment.

But I feel like we should just be passing through these invalid segments rather than 404ing.
So instead of this fix we just change decodePath() so that it is resilient there: catching the error for each segment and just returning the original string instead of the decoded one.

If there is no such asset, then it would still 404 but at least we are not potentially hiding a real asset.

[Cherry]

Good call, that makes sense, thanks Pete. I've updated the changes and tests to account for this more gracefully.

[petebacondarwin]

Can encodeURIComponent actually throw?

[Cherry]

If given something like a lone surrogate, yes:

encodeURIComponent("\uD800")

How likely/possible this is to happen in a URL? Probably not, but I felt like it couldn't hurt to wrap both.