fix(http): close double-encoding bypass in path traversal guard

Replace single rawurldecode() with a decode-until-stable loop so that
double-encoded sequences like %252e%252e cannot slip past the
assertSafePath check. Add test cases for double-encoded traversal,
slash, query character, and null byte variants.

Author: gjtorikian

lib/HttpClient.php

@@ -251,12 +251,13 @@ private function resolveUrl(string $path, ?RequestOptions $options): string
      * in a single ID would silently re-target the request at a different
      * WorkOS resource under the application's authenticated API key.
      *
-     * The check runs against the percent-decoded path so that encoded
-     * variants (`%2e%2e`, `%2f`, `%3f`, `%0d%0a`, ...) cannot bypass it.
+     * The check runs against the fully percent-decoded path so that encoded
+     * variants (`%2e%2e`, `%2f`, `%3f`, `%0d%0a`, ...) and double-encoded
+     * variants (`%252e%252e`, `%252f`, ...) cannot bypass it.
      */
     private function assertSafePath(string $path): void
     {
-        $decoded = rawurldecode($path);
+        $decoded = self::decodeUntilStable($path);
 
         if (preg_match('/[\x00-\x1f?#]/', $decoded) === 1) {
             throw new \InvalidArgumentException(
@@ -273,6 +274,20 @@ private function assertSafePath(string $path): void
         }
     }
 
+    /**
+     * Decode percent-encoded characters in a loop until the value stabilizes,
+     * closing double-encoding bypass vectors like `%252e%252e`.
+     */
+    private static function decodeUntilStable(string $value): string
+    {
+        do {
+            $prev = $value;
+            $value = rawurldecode($value);
+        } while ($value !== $prev);
+
+        return $value;
+    }
+
     private function resolveTimeout(?RequestOptions $options): int
     {
         return $options !== null && $options->timeout !== null ? $options->timeout : $this->timeout;

tests/HttpClientTest.php

@@ -108,6 +108,10 @@ public static function unsafePathProvider(): array
             'percent-encoded fragment character' => ['connections/conn_123%23frag'],
             'percent-encoded CRLF injection' => ['connections/conn_123%0D%0AHost:%20evil'],
             'percent-encoded null byte' => ['connections/conn_123%00'],
+            'double-encoded parent traversal' => ['connections/%252e%252e/webhook_endpoints'],
+            'double-encoded slash hides traversal' => ['connections%252F..%252Fwebhook_endpoints'],
+            'double-encoded query character' => ['connections/conn_123%253Foverride=1'],
+            'double-encoded null byte' => ['connections/conn_123%2500'],
         ];
     }