Ensure that non-query parameters are never escaped

Author: shockey

src/execute/oas3/parameter-builders.js

@@ -43,7 +43,7 @@ function query({req, value, parameter}) {
             key: k,
             value: v,
             style: 'deepObject',
-            escape: !parameter.allowReserved,
+            escape: parameter.allowReserved ? 'unsafe' : 'reserved',
           }),
           skipEncoding: true
         }
@@ -66,7 +66,7 @@ function query({req, value, parameter}) {
             key: k,
             value: v,
             style: parameter.style || 'form',
-            escape: !parameter.allowReserved,
+            escape: parameter.allowReserved ? 'unsafe' : 'reserved',
           }),
           skipEncoding: true
         }
@@ -79,7 +79,7 @@ function query({req, value, parameter}) {
           value,
           style: parameter.style || 'form',
           explode: typeof parameter.explode === 'undefined' ? true : parameter.explode,
-          escape: !parameter.allowReserved,
+          escape: parameter.allowReserved ? 'unsafe' : 'reserved',
         }),
         skipEncoding: true
       }

src/execute/oas3/style-serializer.js

@@ -5,20 +5,24 @@ const isRrc3986Unreserved = (char) => {
   return (/^[a-z0-9\-._~]+$/i).test(char)
 }
 
-function encodeDisallowedCharacters(str, {allowReserved}) {
+function encodeDisallowedCharacters(str, {escape}) {
   if (typeof str === 'number') {
     str = str.toString()
   }
   if (typeof str !== 'string' || !str.length) {
     return str
   }
 
+  if (!escape) {
+    return str
+  }
+
   return str.split('').map((char) => {
     if (isRrc3986Unreserved(char)) {
       return char
     }
 
-    if (isRfc3986Reserved(char) && allowReserved) {
+    if (isRfc3986Reserved(char) && escape === 'unsafe') {
       return char
     }
 
@@ -41,7 +45,7 @@ export default function (config) {
 
 function encodeArray({key, value, style, explode, escape}) {
   const valueEncoder = str => encodeDisallowedCharacters(str, {
-    allowReserved: !escape
+    escape
   })
 
   if (style === 'simple') {
@@ -79,7 +83,7 @@ function encodeArray({key, value, style, explode, escape}) {
 
 function encodeObject({key, value, style, explode, escape}) {
   const valueEncoder = str => encodeDisallowedCharacters(str, {
-    allowReserved: !escape
+    escape
   })
 
   const valueKeys = Object.keys(value)
@@ -136,7 +140,7 @@ function encodeObject({key, value, style, explode, escape}) {
 
 function encodePrimitive({key, value, style, escape}) {
   const valueEncoder = str => encodeDisallowedCharacters(str, {
-    allowReserved: !escape
+    escape
   })
 
   if (style === 'simple') {

test/oas3/execute/style-explode/header.js

@@ -91,6 +91,46 @@ describe('OAS 3.0 - buildRequest w/ `style` & `explode` - header parameters', fu
       })
     })
 
+    it('should build a header parameter in simple/no-explode format with special characters', function () {
+      // Given
+      const spec = {
+        openapi: '3.0.0',
+        paths: {
+          '/users': {
+            get: {
+              operationId: 'myOperation',
+              parameters: [
+                {
+                  name: 'X-MyHeader',
+                  in: 'header',
+                  style: 'simple',
+                  explode: false
+                }
+              ]
+            }
+          }
+        }
+      }
+
+      // when
+      const req = buildRequest({
+        spec,
+        operationId: 'myOperation',
+        parameters: {
+          'X-MyHeader': ' <>"%{}|\\^'
+        }
+      })
+
+      expect(req).toEqual({
+        method: 'GET',
+        url: '/users',
+        credentials: 'same-origin',
+        headers: {
+          'X-MyHeader': ' <>"%{}|\\^'
+        },
+      })
+    })
+
     it('should build a header parameter in simple/explode format', function () {
       // Given
       const spec = {