fix(builtins): URL-encode query params and form body in HTTP builtin#1008
Merged
fix(builtins): URL-encode query params and form body in HTTP builtin#1008
Conversation
Closes #1001 — build_url_with_query and build_form_body concatenated values without URL-encoding, allowing parameter/field injection via special characters (&, =, #). Now uses url::form_urlencoded::Serializer.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build_url_with_queryandbuild_form_bodynow useurl::form_urlencoded::Serializerfor proper encoding&,=,#are properly encoded, preventing parameter/field injectionWhat & Why
Both functions concatenated user-supplied values without URL-encoding. A value like
foo&admin=truewould inject an additional parameter. Now uses theurlcrate'sform_urlencoded::Serializerwhich handles all special characters per RFC.Tests Added
test_query_param_injection_encoded— verifies&in value doesn't inject paramstest_query_param_normal_value— happy pathtest_form_body_injection_encoded— verifies&in form value doesn't inject fieldstest_form_body_normal_value— happy pathCloses #1001