review-comment: Don't use URLComponent to parse application/x-www-form-urlencoded

43jay · 43jay · commit dfefb4ee6058 · 2026-04-29T06:00:05.000-04:00
based on https://github.com/kula-app/Postie/blob/3698c01e4c2df68d81a23b4dc428416cea9e4e5f/Sources/URLEncodedFormCoding/URLEncodedFormDecoder.swift#L19-L49 extended unit tests
diff --git a/Sources/Swift/Integrations/SessionReplay/SentryReplayNetworkDetails.swift b/Sources/Swift/Integrations/SessionReplay/SentryReplayNetworkDetails.swift
@@ -147,17 +147,38 @@ enum NetworkBodyWarning: String {
             }
         }
 
+        /// Parses `application/x-www-form-urlencoded` data into a dictionary.
         private static func parseFormEncoded(_ data: Data, encoding: String.Encoding, warnings: inout [NetworkBodyWarning]) -> Body {
-            guard let string = String(data: data, encoding: encoding) ?? String(data: data, encoding: .utf8),
-                  let components = URLComponents(string: "http://x?" + string),
-                  let items = components.queryItems else {
+            guard let urlEncodedFormData = String(data: data, encoding: encoding) ?? String(data: data, encoding: .utf8) else {
                 warnings.append(.bodyParseError)
                 return parseText(data, encoding: encoding, warnings: &warnings)
             }
 
-            var formData = [String: String]()
-            for item in items where item.name.isEmpty == false {
-                formData[item.name] = item.value ?? ""
+            var formData = [String: Any]()
+            for rawElement in urlEncodedFormData.components(separatedBy: "&") where !rawElement.isEmpty {
+                let comps = rawElement.components(separatedBy: "=")
+                if comps.count < 2 {
+                    warnings.append(.bodyParseError)
+                    return parseText(data, encoding: encoding, warnings: &warnings)
+                }
+                // In form-urlencoded, + means space (rdar://40751862).
+                let key = comps[0]
+                    .replacingOccurrences(of: "+", with: " ")
+                    .removingPercentEncoding ?? comps[0]
+                let value = comps.dropFirst().joined(separator: "=")
+                    .replacingOccurrences(of: "+", with: " ")
+                    .removingPercentEncoding ?? comps[1]
+                guard !key.isEmpty else { continue }
+                if let existing = formData[key] {
+                    if var list = existing as? [String] {
+                        list.append(value)
+                        formData[key] = list
+                    } else if let text = existing as? String {
+                        formData[key] = [text, value]
+                    }
+                } else {
+                    formData[key] = value
+                }
             }
             return Body(content: formData, warnings: warnings)
         }
diff --git a/Tests/SentryTests/Networking/SentryReplayNetworkDetailsBodyTests.swift b/Tests/SentryTests/Networking/SentryReplayNetworkDetailsBodyTests.swift
@@ -21,7 +21,6 @@ class SentryReplayNetworkDetailsBodyTests: XCTestCase {
         let body = Body(data: bodyData, contentType: "application/json")
 
         // -- Assert --
-        XCTAssertNotNil(body)
         if case .json(let value) = body?.content {
             let dict = value as? [String: Any]
             XCTAssertEqual(dict?["key"] as? String, "value")
@@ -45,7 +44,6 @@ class SentryReplayNetworkDetailsBodyTests: XCTestCase {
         let body = Body(data: bodyData, contentType: "application/json")
 
         // -- Assert --
-        XCTAssertNotNil(body)
         if case .json(let value) = body?.content {
             let array = value as? [String]
             XCTAssertEqual(array?.count, 3)
@@ -84,28 +82,6 @@ class SentryReplayNetworkDetailsBodyTests: XCTestCase {
         XCTAssertNil(body)
     }
 
-    func testInit_withFormURLEncoded_shouldParseAsForm() {
-        // -- Arrange --
-        let formString = "key1=value1&key2=value2&key3=value%20with%20spaces"
-        guard let bodyData = formString.data(using: .utf8) else {
-            return XCTFail("Failed to create form data")
-        }
-
-        // -- Act --
-        let body = Body(data: bodyData, contentType: "application/x-www-form-urlencoded")
-
-        // -- Assert --
-        XCTAssertNotNil(body)
-        if case .json(let value) = body?.content {
-            let dict = value as? [String: String]
-            XCTAssertEqual(dict?["key1"], "value1")
-            XCTAssertEqual(dict?["key2"], "value2")
-            XCTAssertEqual(dict?["key3"], "value with spaces")
-        } else {
-            XCTFail("Expected .json content for form data")
-        }
-    }
-
     func testInit_withInvalidJSON_shouldFallbackToString() {
         // -- Arrange --
         let invalidJSON = "{ invalid json }"
@@ -216,6 +192,108 @@ class SentryReplayNetworkDetailsBodyTests: XCTestCase {
             XCTFail("Expected .text content with placeholder description")
         }
     }
+    
+    // MARK: - Form URL-Encoded Parsing
+
+    func testInit_withFormURLEncoded_shouldParseAsForm() {
+        // -- Arrange --
+        let formString = "key1=value1&key2=value2&key3=value%20with%20spaces"
+        guard let bodyData = formString.data(using: .utf8) else {
+            return XCTFail("Failed to create form data")
+        }
+
+        // -- Act --
+        let body = Body(data: bodyData, contentType: "application/x-www-form-urlencoded")
+
+        // -- Assert --
+        if case .json(let value) = body?.content {
+            let dict = value as? [String: String]
+            XCTAssertEqual(dict?["key1"], "value1")
+            XCTAssertEqual(dict?["key2"], "value2")
+            XCTAssertEqual(dict?["key3"], "value with spaces")
+        } else {
+            XCTFail("Expected .json content for form data")
+        }
+    }
+
+    func testInit_withFormURLEncoded_duplicateKeys_shouldPromoteToArray() throws {
+        // -- Act --
+        let body = try XCTUnwrap(Body(
+            data: "color=red&color=blue&color=green".data(using: .utf8)!,
+            contentType: "application/x-www-form-urlencoded; charset=utf-8"
+        ))
+
+        // -- Assert --
+        let dict = try XCTUnwrap(body.serialize()["body"] as? [String: Any])
+        XCTAssertEqual(dict["color"] as? [String], ["red", "blue", "green"])
+    }
+
+    func testInit_withFormURLEncoded_emptyValue_shouldParseAsEmptyString() throws {
+        // -- Act --
+        let body = try XCTUnwrap(Body(
+            data: "key1=&key2=value2".data(using: .utf8)!,
+            contentType: "application/x-www-form-urlencoded; charset=utf-8"
+        ))
+
+        // -- Assert --
+        let dict = try XCTUnwrap(body.serialize()["body"] as? [String: Any])
+        XCTAssertEqual(dict["key1"] as? String, "")
+        XCTAssertEqual(dict["key2"] as? String, "value2")
+    }
+
+    func testInit_withFormURLEncoded_missingEquals_shouldFallbackToText() throws {
+        // -- Act --
+        let body = try XCTUnwrap(Body(
+            data: "key1=value1&malformed&key2=value2".data(using: .utf8)!,
+            contentType: "application/x-www-form-urlencoded; charset=utf-8"
+        ))
+
+        // -- Assert --
+        let serialized = body.serialize()
+        let text = try XCTUnwrap(serialized["body"] as? String)
+        XCTAssertEqual(text, "key1=value1&malformed&key2=value2")
+        let warnings = try XCTUnwrap(serialized["warnings"] as? [String])
+        XCTAssertTrue(warnings.contains("BODY_PARSE_ERROR"))
+    }
+
+    func testInit_withFormURLEncoded_emptyKeys_shouldBeSkipped() throws {
+        // -- Act --
+        let body = try XCTUnwrap(Body(
+            data: "=value1&key2=value2".data(using: .utf8)!,
+            contentType: "application/x-www-form-urlencoded; charset=utf-8"
+        ))
+
+        // -- Assert --
+        let dict = try XCTUnwrap(body.serialize()["body"] as? [String: Any])
+        XCTAssertNil(dict[""])
+        XCTAssertEqual(dict["key2"] as? String, "value2")
+    }
+
+    func testInit_withFormURLEncoded_equalsInValue_shouldPreserve() throws {
+        // -- Act --
+        let body = try XCTUnwrap(Body(
+            data: "query=a=1&token=abc".data(using: .utf8)!,
+            contentType: "application/x-www-form-urlencoded; charset=utf-8"
+        ))
+
+        // -- Assert --
+        let dict = try XCTUnwrap(body.serialize()["body"] as? [String: Any])
+        XCTAssertEqual(dict["query"] as? String, "a=1")
+        XCTAssertEqual(dict["token"] as? String, "abc")
+    }
+
+    func testInit_withFormURLEncoded_plusAsSpace_shouldDecode() throws {
+        // -- Act --
+        let body = try XCTUnwrap(Body(
+            data: "greeting=hello+world&name=Jane+Doe".data(using: .utf8)!,
+            contentType: "application/x-www-form-urlencoded; charset=utf-8"
+        ))
+
+        // -- Assert --
+        let dict = try XCTUnwrap(body.serialize()["body"] as? [String: Any])
+        XCTAssertEqual(dict["greeting"] as? String, "hello world")
+        XCTAssertEqual(dict["name"] as? String, "Jane Doe")
+    }
 
     // MARK: - Serialization Tests
 
