Skip to content

G
gitlab-ce
Commit 95739038 authored by Miguel Rincon's avatar Miguel Rincon
Browse files
Options

Decode square brackets with "queryToObject" 

This change ensure that URL-encoded square brackets are decoded by
"queryToObject" when such encoding is used in the URL.

Prevents edge cases in which clients send encoded square brackets to
define arrays in their URL parameters.

Changelog: fixed
parent 54e345fb
Hide whitespace changes
Inline Side-by-side
Showing with 24 additions and 24 deletions
app/assets/javascripts/lib/utils/url_utility.js
View file @ 95739038
...@@ -474,19 +474,17 @@ export function queryToObject(query, { gatherArrays = false, legacySpacesDecode ...@@ -474,19 +474,17 @@ export function queryToObject(query, { gatherArrays = false, legacySpacesDecode
} }
const decodedValue = legacySpacesDecode ? decodeURIComponent(value) : decodeUrlParameter(value); const decodedValue = legacySpacesDecode ? decodeURIComponent(value) : decodeUrlParameter(value);
const decodedKey = legacySpacesDecode ? decodeURIComponent(key) : decodeUrlParameter(key);
if (gatherArrays && key.endsWith('[]')) { if (gatherArrays && decodedKey.endsWith('[]')) {
const decodedKey = legacySpacesDecode const decodedArrayKey = decodedKey.slice(0, -2);
? decodeURIComponent(key.slice(0, -2))
: decodeUrlParameter(key.slice(0, -2));
if (!Array.isArray(accumulator[decodedKey])) { if (!Array.isArray(accumulator[decodedArrayKey])) {
accumulator[decodedKey] = []; accumulator[decodedArrayKey] = [];
} }
accumulator[decodedKey].push(decodedValue);
} else {
const decodedKey = legacySpacesDecode ? decodeURIComponent(key) : decodeUrlParameter(key);
accumulator[decodedArrayKey].push(decodedValue);
} else {
accumulator[decodedKey] = decodedValue; accumulator[decodedKey] = decodedValue;
} }
......
spec/frontend/lib/utils/url_utility_spec.js
View file @ 95739038
...@@ -670,21 +670,23 @@ describe('URL utility', () => { ...@@ -670,21 +670,23 @@ describe('URL utility', () => {
describe('queryToObject', () => { describe('queryToObject', () => {
it.each` it.each`
case | query | options | result case | query | options | result
${'converts query'} | ${'?one=1&two=2'} | ${undefined} | ${{ one: '1', two: '2' }} ${'converts query'} | ${'?one=1&two=2'} | ${undefined} | ${{ one: '1', two: '2' }}
${'converts query without ?'} | ${'one=1&two=2'} | ${undefined} | ${{ one: '1', two: '2' }} ${'converts query without ?'} | ${'one=1&two=2'} | ${undefined} | ${{ one: '1', two: '2' }}
${'removes undefined values'} | ${'?one=1&two=2&three'} | ${undefined} | ${{ one: '1', two: '2' }} ${'removes undefined values'} | ${'?one=1&two=2&three'} | ${undefined} | ${{ one: '1', two: '2' }}
${'overwrites values with same key and does not change key'} | ${'?one[]=1&one[]=2&two=2&two=3'} | ${undefined} | ${{ 'one[]': '2', two: '3' }} ${'overwrites values with same key and does not change key'} | ${'?one[]=1&one[]=2&two=2&two=3'} | ${undefined} | ${{ 'one[]': '2', two: '3' }}
${'gathers values with the same array-key, strips `[]` from key'} | ${'?one[]=1&one[]=2&two=2&two=3'} | ${{ gatherArrays: true }} | ${{ one: ['1', '2'], two: '3' }} ${'gathers values with the same array-key, strips `[]` from key'} | ${'?one[]=1&one[]=2&two=2&two=3'} | ${{ gatherArrays: true }} | ${{ one: ['1', '2'], two: '3' }}
${'overwrites values with the same array-key name'} | ${'?one=1&one[]=2&two=2&two=3'} | ${{ gatherArrays: true }} | ${{ one: ['2'], two: '3' }} ${'overwrites values with the same array-key name'} | ${'?one=1&one[]=2&two=2&two=3'} | ${{ gatherArrays: true }} | ${{ one: ['2'], two: '3' }}
${'overwrites values with the same key name'} | ${'?one[]=1&one=2&two=2&two=3'} | ${{ gatherArrays: true }} | ${{ one: '2', two: '3' }} ${'overwrites values with the same key name'} | ${'?one[]=1&one=2&two=2&two=3'} | ${{ gatherArrays: true }} | ${{ one: '2', two: '3' }}
${'ignores plus symbols'} | ${'?search=a+b'} | ${{ legacySpacesDecode: true }} | ${{ search: 'a+b' }} ${'ignores plus symbols'} | ${'?search=a+b'} | ${{ legacySpacesDecode: true }} | ${{ search: 'a+b' }}
${'ignores plus symbols in keys'} | ${'?search+term=a'} | ${{ legacySpacesDecode: true }} | ${{ 'search+term': 'a' }} ${'ignores plus symbols in keys'} | ${'?search+term=a'} | ${{ legacySpacesDecode: true }} | ${{ 'search+term': 'a' }}
${'ignores plus symbols when gathering arrays'} | ${'?search[]=a+b'} | ${{ gatherArrays: true, legacySpacesDecode: true }} | ${{ search: ['a+b'] }} ${'ignores plus symbols when gathering arrays'} | ${'?search[]=a+b'} | ${{ gatherArrays: true, legacySpacesDecode: true }} | ${{ search: ['a+b'] }}
${'replaces plus symbols with spaces'} | ${'?search=a+b'} | ${undefined} | ${{ search: 'a b' }} ${'replaces plus symbols with spaces'} | ${'?search=a+b'} | ${undefined} | ${{ search: 'a b' }}
${'replaces plus symbols in keys with spaces'} | ${'?search+term=a'} | ${undefined} | ${{ 'search term': 'a' }} ${'replaces plus symbols in keys with spaces'} | ${'?search+term=a'} | ${undefined} | ${{ 'search term': 'a' }}
${'replaces plus symbols when gathering arrays'} | ${'?search[]=a+b'} | ${{ gatherArrays: true }} | ${{ search: ['a b'] }} ${'preserves square brackets in array params'} | ${'?search[]=a&search[]=b'} | ${{ gatherArrays: true }} | ${{ search: ['a', 'b'] }}
${'replaces plus symbols when gathering arrays for values with same key'} | ${'?search[]=a+b&search[]=c+d'} | ${{ gatherArrays: true }} | ${{ search: ['a b', 'c d'] }} ${'decodes encoded square brackets in array params'} | ${'?search%5B%5D=a&search%5B%5D=b'} | ${{ gatherArrays: true }} | ${{ search: ['a', 'b'] }}
${'replaces plus symbols when gathering arrays'} | ${'?search[]=a+b'} | ${{ gatherArrays: true }} | ${{ search: ['a b'] }}
${'replaces plus symbols when gathering arrays for values with same key'} | ${'?search[]=a+b&search[]=c+d'} | ${{ gatherArrays: true }} | ${{ search: ['a b', 'c d'] }}
`('$case', ({ query, options, result }) => { `('$case', ({ query, options, result }) => {
expect(urlUtils.queryToObject(query, options)).toEqual(result); expect(urlUtils.queryToObject(query, options)).toEqual(result);
}); });
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7