Adding a double slash to the URL causes a crash - using up my Serverless Function quota

Support
,
1

Problem: Adding a double slash to the URL causes a crash
Next version: 15.3.2
Example: https://nextjs-platform-starter.netlify.app//revalidation
Error Messages:

Application error: a client-side exception has occurred while loading nextjs-platform-starter.netlify.app (see the browser console for more information).

I’m having a problem with Netlify & Next.js. Adding a double slash at the domain root causes a crash.

Sites hosted on Vercel don’t exhibit this double-slash crash.

This may be a Next.js issue rather than Netlify, however the knock on effect of this is causing a secondary issue with Netlify.

Secondary issue

I have a lot of spam hitting a non-existent, double-slashed path on my site. This spam is using up all of my Serverless Function quota.

I’m trying to set up a 404 redirect to send the spam to a static 404 page. However, I believe this double slash bug is inadvertently causing the homepage of my site to be redirected to the 404 page, as well as the spam path. All other pages, except the homepage, function normally.

Example netlify.toml:

[build]
command = "npm run build"
publish = ".next"

# Send spam to 404 - note the double slashed path
[[redirects]]
from = "//bad/path"
to = "/__404.html"
status = 404

Many of the spam hits are coming from Singapore so I will attempt to block that region but many are also coming from the USA which I don’t want to block.

Is there any other way to block or redirect the double-slashed URLs before they invoke a serverless function?

Potentially relevant issue?: Multiple trailing slashes issue for site root

Given that this has almost completely used up my Serverless Function quota I’d rather not post the URL publicly and get billed $25 for overage charges! Happy to PM the URL to anyone that needs to see it though.

2

Have you downloaded our User Agent Blocker extension to block unwanted bot traffic?

3

In our project we have similar issue, and it appears specifically on Netlify. Running application on dev or prod mod locally works fine. We have Netlify Agent Blocker enabled.
On NextJS application middleware we have a logic to handle multiple / and replace them with single / but it’s not working on Netlify.

4

Thanks sid, I’ll test the UA blocker but I don’t think it’s coming from AI bots or crawlers. It’s malicious traffic looking for vulnerabilities:

  • /xmlrpc.php
  • /.git/config
  • //blog//wp-json/oembed/1.0/embed
  • //xmlrpc.php
  • /.env
  • /admin.php
  • etc.

In which case they are presumably spoofing their UA anyway.

If anyone else has a problem redirecting double-slashed URLS, I managed to work around it by completely ignoring it in the redirect rules:

So a rule of:

# netlify.toml

[[redirects]]
from = "/blog/wp-login.php"
to = "/__404.html"
status = 404

seems to work for:

  • /blog/wp-login.php
  • //blog/wp-login.php
  • //blog//wp-login.php

This in turn has cut my “Next.js Server Handler” function invocations to normal levels.

5

Thanks so much for sharing your solution here! I’m glad to hear that resolved the issue. If anything else comes up, please feel free to reach back out.