[Flight Reply] Early bailout if backing entry for Blob deserialization is not a Blob (facebook#36055)

Co-authored-by: Hendrik Liebau <mail@hendrik-liebau.de>

Author: eps1lon

packages/react-server-dom-webpack/src/__tests__/ReactFlightDOMReply-test.js

@@ -744,4 +744,17 @@ describe('ReactFlightDOMReply', () => {
     // has closed but that's a bug in both ReactFlightReplyServer and ReactFlightClient.
     // It just halts in this case.
   });
+
+  it('cannot deserialize a Blob reference backed by a string', async () => {
+    const formData = new FormData();
+    formData.set('1', '-'.repeat(50000));
+    formData.set('0', JSON.stringify(['$B1']));
+    let error;
+    try {
+      await ReactServerDOMServer.decodeReply(formData, webpackServerMap);
+    } catch (x) {
+      error = x;
+    }
+    expect(error.message).toContain('Referenced Blob is not a Blob.');
+  });
 });

packages/react-server/src/ReactFlightReplyServer.js

@@ -1806,7 +1806,10 @@ function parseModelString(
         const blobKey = prefix + id;
         // We should have this backingEntry in the store already because we emitted
         // it before referencing it. It should be a Blob.
-        const backingEntry: Blob = (response._formData.get(blobKey): any);
+        const backingEntry = response._formData.get(blobKey);
+        if (!(backingEntry instanceof Blob)) {
+          throw new Error('Referenced Blob is not a Blob.');
+        }
         return backingEntry;
       }
       case 'R': {

scripts/error-codes/codes.json

@@ -566,5 +566,6 @@
   "578": "Already initialized Iterator.",
   "579": "Invalid data for bytes stream.",
   "580": "Server Function has too many bound arguments. Received %s but the limit is %s.",
-  "581": "BigInt is too large. Received %s digits but the limit is %s."
+  "581": "BigInt is too large. Received %s digits but the limit is %s.",
+  "582": "Referenced Blob is not a Blob."
 }