Skip to content

Decode ctx.params before using in routes#832

Merged
tudddorrr merged 1 commit intodevelopfrom
decode-params-middleware
Feb 15, 2026
Merged

Decode ctx.params before using in routes#832
tudddorrr merged 1 commit intodevelopfrom
decode-params-middleware

Conversation

@tudddorrr
Copy link
Collaborator

@tudddorrr tudddorrr commented Feb 15, 2026

No description provided.

@tudddorrr tudddorrr added the fix This pull request contains a fix label Feb 15, 2026
@claude
Copy link

claude bot commented Feb 15, 2026

PR Review

This is a clean, focused fix. One issue worth addressing before merging:

🟡 Potential Bugs

decodeURIComponent throws on malformed percent-encoded params

decodeURIComponent raises a URIError for invalid sequences (e.g. a route param containing %gg or a trailing %). Since route params come from user-controlled URLs, this is a realistic input and would result in an unhandled exception rather than a clean HTTP response.

src/middleware/decode-params-middleware.ts

// Current
ctx.params[param] = decodeURIComponent(ctx.params[param])

// Suggested – fall back to the raw value if decoding fails
try {
  ctx.params[param] = decodeURIComponent(ctx.params[param])
} catch {
  // leave param as-is; downstream validation will reject invalid values
}

Test Coverage

The added test only covers the happy path (spaces encoded as %20). A test with a malformed sequence like %gg in the internal name would catch the above issue and confirm graceful error handling.

Everything else looks good — the middleware is correctly placed before route-specific middleware, the GlobalContext type addition is appropriate, and the for...in loop is fine for a plain object like ctx.params.

@codecov
Copy link

codecov bot commented Feb 15, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.69%. Comparing base (b73ea67) to head (46dba31).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop     #832   +/-   ##
========================================
  Coverage    95.68%   95.69%           
========================================
  Files          378      379    +1     
  Lines         5915     5919    +4     
  Branches       766      766           
========================================
+ Hits          5660     5664    +4     
  Misses         149      149           
  Partials       106      106

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tudddorrr tudddorrr merged commit 401341c into develop Feb 15, 2026
10 checks passed
@tudddorrr tudddorrr deleted the decode-params-middleware branch February 15, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

fix This pull request contains a fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tudddorrr