fix(core): handle malformed percent-encoding in UriTemplate.match()

Author: felixweinberger

packages/core/src/shared/uriTemplate.ts

@@ -7,6 +7,14 @@ const MAX_VARIABLE_LENGTH = 1_000_000; // 1MB
 const MAX_TEMPLATE_EXPRESSIONS = 10_000;
 const MAX_REGEX_LENGTH = 1_000_000; // 1MB
 
+function safeDecode(s: string): string {
+    try {
+        return decodeURIComponent(s);
+    } catch {
+        return s;
+    }
+}
+
 export class UriTemplate {
     /**
      * Returns true if the given string contains any URI template expressions.
@@ -302,8 +310,8 @@ export class UriTemplate {
                 for (const pair of queryPart.split('&')) {
                     const equalIndex = pair.indexOf('=');
                     if (equalIndex !== -1) {
-                        const key = decodeURIComponent(pair.slice(0, equalIndex));
-                        const value = decodeURIComponent(pair.slice(equalIndex + 1));
+                        const key = safeDecode(pair.slice(0, equalIndex));
+                        const value = safeDecode(pair.slice(equalIndex + 1));
                         queryParams.set(key, value);
                     }
                 }

packages/core/test/shared/uriTemplate.test.ts

@@ -249,6 +249,12 @@ describe('UriTemplate', () => {
             expect(match).toEqual({ q: 'hello world' });
             expect(template.variableNames).toEqual(['q']);
         });
+
+        it('should not throw on malformed percent-encoding in query parameters', () => {
+            const template = new UriTemplate('/search{?q}');
+            expect(template.match('/search?q=100%')).toEqual({ q: '100%' });
+            expect(template.match('/search?q=%ZZ')).toEqual({ q: '%ZZ' });
+        });
     });
 
     describe('security and edge cases', () => {