Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PathParams url encode/decode #2070

Open
jaycsantos opened this issue Oct 9, 2024 · 0 comments
Open

PathParams url encode/decode #2070

jaycsantos opened this issue Oct 9, 2024 · 0 comments

Comments

@jaycsantos
Copy link

We have encountered issues with unsafe URL path parameters that require URL encoding and decoding. Unfortunately, the auto_route library complicates this process. Here are the findings from our investigation:

By default, path parameters are not URL encoded or configured for encoding. Even when I manually encode the path parameters, it fails to work properly; they are consistently URL decoded, often inappropriately.

At line 134, the path should be split before decoding. The decoded segments should be used solely as values for path parameters, rather than influencing the RouteMatch. Currently, the URL path is always converted to its URL-decoded version, which is incorrect. According to RFC 3986, section 2.2, URL-decoded characters should not be treated as their reserved equivalents.

auto_route_library/auto_route/lib/src/matcher/route_matcher.dart

Lines 132 to 173 in 7a03a88

RouteMatch? matchByPath(Uri uri, AutoRoute config, {String? redirectedFrom}) {
var parts = _split(config.path);
var segments = _split(Uri.decodeComponent(uri.path));
if (parts.length > segments.length) {
return null;
}
if (config.fullMatch &&
segments.length > parts.length &&
(parts.isEmpty || parts.last != '*')) {
return null;
}
var pathParams = <String, String>{};
for (var index = 0; index < parts.length; index++) {
var segment = segments[index];
var part = parts[index];
if (part.startsWith(':')) {
pathParams[part.substring(1)] = segment;
} else if (segment != part && part != "*") {
return null;
}
}
var extractedSegments = segments.sublist(0, parts.length);
if (parts.isNotEmpty && parts.last == "*") {
extractedSegments = segments;
}
final stringMatch = p.joinAll(extractedSegments);
return RouteMatch(
config: config,
key: ValueKey(config.usesPathAsKey ? stringMatch : config.name),
stringMatch: stringMatch,
segments: extractedSegments,
redirectedFrom: redirectedFrom,
pathParams: Parameters(pathParams),
queryParams: Parameters(_normalizeSingleValues(uri.queryParametersAll)),
fragment: uri.fragment,
);
}

Additionally, UrlState is also consistently URL decoded, as seen here

auto_route_library/auto_route/lib/src/router/parser/route_information_parser.dart

Line 124 in 7a03a88

String get url => Uri.decodeFull(uri.toString());

The only instance where URL encoding occurs is in auto_router_delegate.dart, and only for deep links.

auto_route_library/auto_route/lib/src/router/controller/auto_router_delegate.dart

Line 164 in 7a03a88

final matchedPath = Uri.encodeFull(matchedUrlState.path);

It would be better is if path/query params are url encoded by default or config when navigating using PageRouteInfo. Then param maps are stored raw (non-encoded). When parsing/matching URLs, only the path params map are url decoded.

Hopefully this would be fixed soon. I'd make a PR but it'll take time, especially to test & validate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jaycsantos