fix: add explicit checks for RSC header (#83) (#98)

(cherry picked from commit 807e363b13cc9395aa74f75122d1d16b4a46dc1a)

Author: ztanner

packages/next/src/build/templates/app-page.ts

@@ -29,6 +29,7 @@ import {
   NodeNextResponse,
 } from '../../server/base-http/node' with { 'turbopack-transition': 'next-server-utility' }
 import { checkIsAppPPREnabled } from '../../server/lib/experimental/ppr' with { 'turbopack-transition': 'next-server-utility' }
+import { isRSCRequestHeader } from '../../server/lib/is-rsc-request' with { 'turbopack-transition': 'next-server-utility' }
 import {
   getFallbackRouteParams,
   getPlaceholderFallbackRouteParams,
@@ -292,7 +293,8 @@ export async function handler(
   // NOTE: Don't delete headers[RSC] yet, it still needs to be used in renderToHTML later
 
   const isRSCRequest =
-    getRequestMeta(req, 'isRSCRequest') ?? Boolean(req.headers[RSC_HEADER])
+    getRequestMeta(req, 'isRSCRequest') ??
+    isRSCRequestHeader(req.headers[RSC_HEADER])
 
   const isPossibleServerAction = getIsPossibleServerAction(req)
 
@@ -424,7 +426,7 @@ export async function handler(
   const isInstantNavigationTest =
     exposeTestingApi &&
     (req.headers[NEXT_INSTANT_PREFETCH_HEADER] === '1' ||
-      (req.headers[RSC_HEADER] === undefined &&
+      (!isRSCRequestHeader(req.headers[RSC_HEADER]) &&
         typeof req.headers.cookie === 'string' &&
         req.headers.cookie.includes(NEXT_INSTANT_TEST_COOKIE + '=')))
 

packages/next/src/server/app-render/app-render.tsx

@@ -71,6 +71,7 @@ import {
 } from '../../client/components/app-router-headers'
 import { createMetadataContext } from '../../lib/metadata/metadata-context'
 import { createRequestStoreForRender } from '../async-storage/request-store'
+import { isRSCRequestHeader } from '../lib/is-rsc-request'
 import { createWorkStore } from '../async-storage/work-store'
 import {
   getAccessFallbackErrorTypeByStatus,
@@ -379,7 +380,7 @@ function parseRequestHeaders(
 
   const isHmrRefresh = headers[NEXT_HMR_REFRESH_HEADER] !== undefined
 
-  const isRSCRequest = headers[RSC_HEADER] !== undefined
+  const isRSCRequest = isRSCRequestHeader(headers[RSC_HEADER])
 
   const shouldProvideFlightRouterState =
     isRSCRequest && (!isPrefetchRequest || !options.isRoutePPREnabled)

packages/next/src/server/base-server.ts

@@ -48,6 +48,7 @@ import type { InstrumentationModule } from './instrumentation/types'
 import * as path from 'path'
 import { format as formatUrl } from 'url'
 import { formatHostname } from './lib/format-hostname'
+import { isRSCRequestHeader } from './lib/is-rsc-request'
 import {
   APP_PATHS_MANIFEST,
   NEXT_BUILTIN_DOCUMENT,
@@ -656,7 +657,7 @@ export default abstract class Server<
       stripFlightHeaders(req.headers)
 
       return false
-    } else if (req.headers[RSC_HEADER] === '1') {
+    } else if (isRSCRequestHeader(req.headers[RSC_HEADER])) {
       addRequestMeta(req, 'isRSCRequest', true)
 
       if (req.headers[NEXT_ROUTER_PREFETCH_HEADER] === '1') {
@@ -2231,7 +2232,7 @@ export default abstract class Server<
     // even during a locked scope, with blocking happening on the client side.
     const hasInstantTestCookie =
       exposeTestingApi &&
-      req.headers[RSC_HEADER] === undefined &&
+      !isRSCRequestHeader(req.headers[RSC_HEADER]) &&
       typeof req.headers.cookie === 'string' &&
       req.headers.cookie.includes(NEXT_INSTANT_TEST_COOKIE + '=') &&
       couldSupportPPR

packages/next/src/server/lib/is-rsc-request.test.ts

@@ -0,0 +1,18 @@
+import { isRSCRequestHeader } from './is-rsc-request'
+
+describe('isRSCRequestHeader', () => {
+  it('returns true for the canonical RSC header value', () => {
+    expect(isRSCRequestHeader('1')).toBe(true)
+  })
+
+  it('returns false for invalid or missing values', () => {
+    expect(isRSCRequestHeader('0')).toBe(false)
+    expect(isRSCRequestHeader(undefined)).toBe(false)
+    expect(isRSCRequestHeader(null)).toBe(false)
+  })
+
+  it('returns false for repeated header values', () => {
+    expect(isRSCRequestHeader(['1'])).toBe(false)
+    expect(isRSCRequestHeader(['1', '1'])).toBe(false)
+  })
+})

packages/next/src/server/lib/is-rsc-request.ts

@@ -0,0 +1,9 @@
+/**
+ * Normalizes the raw RSC header value. Only the literal string "1" is treated
+ * as a valid RSC request marker; malformed or repeated values are ignored.
+ */
+export function isRSCRequestHeader(
+  value: string | string[] | null | undefined
+): boolean {
+  return value === '1'
+}

packages/next/src/server/lib/router-utils/resolve-routes.ts

@@ -33,6 +33,7 @@ import { NextDataPathnameNormalizer } from '../../normalizers/request/next-data'
 import { BasePathPathnameNormalizer } from '../../normalizers/request/base-path'
 
 import { addRequestMeta } from '../../request-meta'
+import { isRSCRequestHeader } from '../is-rsc-request'
 import {
   compileNonPath,
   matchHas,
@@ -871,7 +872,7 @@ export function getResolveRoutes(
 
           // Set the rewrite headers only if this is a RSC request.
           if (
-            req.headers[RSC_HEADER] === '1' &&
+            isRSCRequestHeader(req.headers[RSC_HEADER]) &&
             (!parsedDestination.origin || isAllowedOrigin)
           ) {
             // We set the rewritten path and query headers on the response now

packages/next/src/server/web/adapter.ts

@@ -35,6 +35,7 @@ import { CloseController } from './web-on-close'
 import { getEdgePreviewProps } from './get-edge-preview-props'
 import { getBuiltinRequestContext } from '../after/builtin-request-context'
 import { getImplicitTags } from '../lib/implicit-tags'
+import { isRSCRequestHeader } from '../lib/is-rsc-request'
 import { setRequestMeta } from '../request-meta'
 
 export class NextRequestHint extends NextRequest {
@@ -151,7 +152,7 @@ export async function adapter(
 
   const requestHeaders = fromNodeOutgoingHttpHeaders(params.request.headers)
   const isNextDataRequest = requestHeaders.has('x-nextjs-data')
-  const isRSCRequest = requestHeaders.get(RSC_HEADER) === '1'
+  const isRSCRequest = isRSCRequestHeader(requestHeaders.get(RSC_HEADER))
 
   if (isNextDataRequest && requestURL.pathname === '/index') {
     requestURL.pathname = '/'

test/e2e/app-dir/segment-cache/cdn-cache-busting/cdn-cache-busting.test.ts

@@ -103,6 +103,31 @@ describe('segment cache (CDN cache busting)', () => {
     }
   )
 
+  it('ignores invalid RSC header values when serving a document request', async () => {
+    const url = new URL(`http://localhost:${port}/target-page`)
+    url.searchParams.set('test', 'invalid-rsc-header')
+
+    const invalidHeaderRes = await fetch(url, {
+      headers: {
+        rsc: '0',
+      },
+    })
+
+    expect(invalidHeaderRes.status).toBe(200)
+    expect(invalidHeaderRes.headers.get('content-type')).toContain('text/html')
+    expect(await invalidHeaderRes.text()).toContain(
+      '<div id="target-page">Target page</div>'
+    )
+
+    const htmlRes = await fetch(url)
+
+    expect(htmlRes.status).toBe(200)
+    expect(htmlRes.headers.get('content-type')).toContain('text/html')
+    expect(await htmlRes.text()).toContain(
+      '<div id="target-page">Target page</div>'
+    )
+  })
+
   it(
     'perform fully prefetched navigation when a third-party proxy ' +
       'performs a redirect',