Skip to content

fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths#21645

Merged
logaretm merged 1 commit into
developfrom
fix/http-instrumentation-double-slash-path-crash
Jun 18, 2026
Merged

fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths#21645
logaretm merged 1 commit into
developfrom
fix/http-instrumentation-double-slash-path-crash

Conversation

@logaretm

@logaretm logaretm commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Member

Ensures protocol relative URLs are safe to parse (e.g: s3 URLs), shouldn't change any existing behaviors.

closes #21627

@logaretm logaretm requested review from a team, JPeer264, andreiborza and mydea and removed request for a team and mydea June 18, 2026 18:31
@logaretm @claude
fix(core): Prevent outgoing HTTP instrumentation from crashing on `//…
104200d 
…` request paths

The outgoing-request instrumentation builds a URL from the request path via
`new URL(path, base)`. A path starting with `//` (valid for e.g. S3 object keys
like `//Trust scores/test.html`) is parsed as a protocol-relative reference,
discarding the request origin and treating the path as the authority — which
throws `TypeError: Invalid URL` for authorities the parser rejects.

Because this runs synchronously inside `diagnostics_channel.publish()` during the
`ClientRequest` constructor, the throw becomes an uncaught exception that crashes
the host process (crash-looping in the reported case).

Resolve `//`-prefixed paths against the request origin as absolute paths so they
produce the correct URL, and wrap `getRequestUrl` in a try/catch returning `''`
so the instrumentation can never take down the application.

Fixes #21627

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@logaretm logaretm force-pushed the fix/http-instrumentation-double-slash-path-crash branch from ea3781d to 104200d Compare June 18, 2026 18:33
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

size-limit report 📦

Path Size % Change Change
@sentry/browser 27.45 kB - -
@sentry/browser - with treeshaking flags 25.88 kB - -
@sentry/browser (incl. Tracing) 45.89 kB - -
@sentry/browser (incl. Tracing + Span Streaming) 48.12 kB - -
@sentry/browser (incl. Tracing, Profiling) 50.67 kB - -
@sentry/browser (incl. Tracing, Replay) 85.08 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 74.69 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 89.78 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 102.45 kB - -
@sentry/browser (incl. Feedback) 44.62 kB - -
@sentry/browser (incl. sendFeedback) 32.25 kB - -
@sentry/browser (incl. FeedbackAsync) 37.38 kB - -
@sentry/browser (incl. Metrics) 28.52 kB - -
@sentry/browser (incl. Logs) 28.76 kB - -
@sentry/browser (incl. Metrics & Logs) 29.45 kB - -
@sentry/react 29.25 kB - -
@sentry/react (incl. Tracing) 48.18 kB - -
@sentry/vue 32.56 kB - -
@sentry/vue (incl. Tracing) 47.76 kB - -
@sentry/svelte 27.48 kB - -
CDN Bundle 29.86 kB - -
CDN Bundle (incl. Tracing) 48.3 kB - -
CDN Bundle (incl. Logs, Metrics) 31.4 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 49.59 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 70.71 kB - -
CDN Bundle (incl. Tracing, Replay) 85.62 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 86.88 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 91.46 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 92.72 kB - -
CDN Bundle - uncompressed 88.8 kB - -
CDN Bundle (incl. Tracing) - uncompressed 146.09 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 93.5 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 150.06 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 218.33 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 264.95 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 268.91 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 278.65 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 282.6 kB - -
@sentry/nextjs (client) 50.58 kB - -
@sentry/sveltekit (client) 46.27 kB - -
@sentry/core/server 76.19 kB +0.04% +26 B 🔺
@sentry/core/browser 63.31 kB - -
@sentry/node-core 61.89 kB +0.03% +18 B 🔺
@sentry/node 124.66 kB +0.02% +16 B 🔺
@sentry/node/import (ESM hook with diagnostics-channel injection) 70.05 kB - -
@sentry/node/light 50.94 kB +0.04% +16 B 🔺
@sentry/node - without tracing 74.25 kB +0.03% +18 B 🔺
@sentry/aws-serverless 85.36 kB +0.02% +14 B 🔺
@sentry/cloudflare (withSentry) - minified 174.48 kB - -
@sentry/cloudflare (withSentry) 436.55 kB - -

View base workflow run

@logaretm logaretm merged commit 9390bc7 into develop Jun 18, 2026
795 of 804 checks passed
@logaretm logaretm deleted the fix/http-instrumentation-double-slash-path-crash branch June 18, 2026 20:36
@logaretm logaretm mentioned this pull request Jun 18, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andreiborza andreiborza andreiborza approved these changes

@JPeer264 JPeer264 Awaiting requested review from JPeer264 JPeer264 was automatically assigned from getsentry/team-javascript-sdks-server

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Outgoing HTTP instrumentation crashes the process with "TypeError: Invalid URL" when a request path starts with //

2 participants

@logaretm @andreiborza