improvement: URL-encode query parameter names (#1487)

john3300 · shockey · shockey · commit 3fe3f8a7aa62 · 2020-01-11T22:39:51.000-05:00
* URL encode the query parameter name which can contain restricted characters like square brackets: []

* `paramName` -&gt; `encodedParamName`

Co-authored-by: kyle shockey &lt;kyleshockey@gmail.com&gt;
diff --git a/src/execute/oas3/parameter-builders.js b/src/execute/oas3/parameter-builders.js
@@ -87,9 +87,10 @@ export function query({req, value, parameter}) {
       })
     }
     else {
-      req.query[parameter.name] = {
+      const encodedParamName = encodeURIComponent(parameter.name)
+      req.query[encodedParamName] = {
         value: stylize({
-          key: parameter.name,
+          key: encodedParamName,
           value,
           style: parameter.style || 'form',
           explode: typeof parameter.explode === 'undefined' ? true : parameter.explode,
diff --git a/test/oas3/execute/style-explode/query.js b/test/oas3/execute/style-explode/query.js
@@ -146,6 +146,83 @@ describe('OAS 3.0 - buildRequest w/ `style` & `explode` - query parameters', ()
       }
     )
 
+    test('should build a query parameter with escaped non-RFC3986 characters in parameter name',
+      () => {
+        // Given
+        const spec = {
+          openapi: '3.0.0',
+          paths: {
+            '/users': {
+              get: {
+                operationId: 'myOperation',
+                parameters: [
+                  {
+                    name: 'id[role]',
+                    in: 'query'
+                  }
+                ]
+              }
+            }
+          }
+        }
+
+        // when
+        const req = buildRequest({
+          spec,
+          operationId: 'myOperation',
+          parameters: {
+            'id[role]': 'admin'
+          }
+        })
+
+        expect(req).toEqual({
+          method: 'GET',
+          url: '/users?id%5Brole%5D=admin',
+          credentials: 'same-origin',
+          headers: {}
+        })
+      }
+    )
+
+    test('should build an empty query parameter with escaped non-RFC3986 characters in parameter name',
+      () => {
+        // Given
+        const spec = {
+          openapi: '3.0.0',
+          paths: {
+            '/users': {
+              get: {
+                operationId: 'myOperation',
+                parameters: [
+                  {
+                    name: 'id[role]',
+                    in: 'query',
+                    allowEmptyValue: true
+                  }
+                ]
+              }
+            }
+          }
+        }
+
+        // when
+        const req = buildRequest({
+          spec,
+          operationId: 'myOperation',
+          parameters: {
+            'id[role]': ''
+          }
+        })
+
+        expect(req).toEqual({
+          method: 'GET',
+          url: '/users?id%5Brole%5D=',
+          credentials: 'same-origin',
+          headers: {}
+        })
+      }
+    )
+
     test('should build a query parameter in form/explode format', () => {
       // Given
       const spec = {
