fix(core): add boundary assertion to hasLiteralQuery regex and address edge cases

backporting from 7e25ee3

Author: mgyarmathy

src/shared/uriTemplate.ts

@@ -287,14 +287,23 @@ export class UriTemplate {
         let queryPart: string;
 
         if (hasLiteralQuery) {
-            // Match the path regex against the full URI without a trailing
-            // anchor, then treat everything after the match as the remaining
-            // query string to parse for {?...}/{&...} expressions.
+            // Match the path regex against the full URI. The lookahead
+            // assertion ensures the literal portion ends exactly at a
+            // query-param separator, fragment, or end-of-string, so a
+            // template like `?id=1` does not spuriously prefix-match
+            // `?id=100`.
+            pattern += '(?=[&#]|$)';
             UriTemplate.validateLength(pattern, MAX_REGEX_LENGTH, 'Generated regex pattern');
             const regex = new RegExp(pattern);
             match = uri.match(regex);
             if (!match) return null;
-            queryPart = uri.slice(match[0].length).replace(/^&/, '');
+            // Everything after the match is the remaining query string to
+            // parse for {?...}/{&...} expressions. Strip any fragment and
+            // the leading `&` separator first.
+            let rest = uri.slice(match[0].length);
+            const hashIndex = rest.indexOf('#');
+            if (hashIndex !== -1) rest = rest.slice(0, hashIndex);
+            queryPart = rest.replace(/^&/, '');
         } else {
             // Split URI into path and query parts at the first '?'
             const queryIndex = uri.indexOf('?');

test/shared/uriTemplate.test.ts

@@ -280,6 +280,27 @@ describe('UriTemplate', () => {
             const match = template.match('/api/v1?format=json&key=secret');
             expect(match).toEqual({ version: 'v1', key: 'secret' });
         });
+
+
+        it('should not prefix-match literal query values with literal ?', () => {
+            // `?id=1` must not match `?id=100`
+            const template = new UriTemplate('/path?id=1{&extra}');
+            expect(template.match('/path?id=100')).toBeNull();
+            expect(template.match('/path?id=1')).toEqual({});
+            expect(template.match('/path?id=1&extra=x')).toEqual({ extra: 'x' });
+        });
+
+        it('should require a proper separator after the literal ? portion', () => {
+            // malformed URI missing `&` between params must not match
+            const template = new UriTemplate('/path?a=1{&b}');
+            expect(template.match('/path?a=1b=2')).toBeNull();
+        });
+
+        it('should ignore fragments after the literal ? portion', () => {
+            const template = new UriTemplate('/path?a=1{&b}');
+            expect(template.match('/path?a=1#section')).toEqual({});
+            expect(template.match('/path?a=1&b=foo#section')).toEqual({ b: 'foo' });
+        });
     });
 
     describe('security and edge cases', () => {