Add decodeURLPath function for URL decoding and validation

[conico974]

Implement a new function to decode URL path components, ensuring validation against invalid characters and limiting decoding iterations.

This will now error on path with too deeply nested percent encoding, which should reduces 404 for voluntarily bad URL.
It can also handle percent encoded character properly in the URL.

[linear]

RND-9222 Percent-encoding parts of URL leads to a 404

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2804f2f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Summary of the deployments:

Version	URL	Status
Vercel	https://gitbook-v2-61ek1aciq-gitbook.vercel.app	✅
Cloudflare	https://da5705e9-gitbook-open-v2-preview.gitbook.workers.dev	✅

Test content

Site	2v	2c
GitBook	https://gitbook-v2-61ek1aciq-gitbook.vercel.app/url/gitbook.com/docs	https://da5705e9-gitbook-open-v2-preview.gitbook.workers.dev/url/gitbook.com/docs
E2E	https://gitbook-v2-61ek1aciq-gitbook.vercel.app/url/gitbook.gitbook.io/test-gitbook-open	https://da5705e9-gitbook-open-v2-preview.gitbook.workers.dev/url/gitbook.gitbook.io/test-gitbook-open

[argos-ci]

The latest updates on your projects. Learn more about Argos notifications ↗︎

Build	Status	Details	Updated (UTC)
customers-v2-cloudflare (Inspect)	✅ No changes detected	-	Mar 9, 2026, 3:18 PM
customers-v2-vercel (Inspect)	👍 Changes approved	2 changed	Mar 9, 2026, 3:17 PM
v2-cloudflare (Inspect)	👍 Changes approved	1 changed	Mar 9, 2026, 3:24 PM
v2-vercel (Inspect)	👍 Changes approved	3 changed	Mar 9, 2026, 3:22 PM

[Copilot]

Pull request overview

This PR introduces canonical URL-path decoding in the GitBook Next.js middleware to reduce duplicate URL variants (important for caching) while validating/limiting decoding to mitigate malformed input and potential DoS patterns.

Changes:

• Added decodeURLPath(URL) helper to decode percent-encoded path segments with a 2-pass limit and character validation.
• Updated middleware to redirect requests to the decoded/canonical URL when applicable.
• Added unit tests covering decoding behavior, nested encoding limits, invalid characters, and path-length bounds.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

File	Description
packages/gitbook/src/middleware.ts	Redirects to a decoded/canonical pathname early in the request pipeline.
packages/gitbook/src/lib/data/urls.ts	Implements decodeURLPath plus invalid-character detection and decoding-pass limits.
packages/gitbook/src/lib/data/urls.test.ts	Adds test coverage for the new decoding/validation behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.