Skip to content

fix: decode paths before matching#174

Merged
Eomm merged 2 commits into
mainfrom
fix/decode-paths-before-matching
Jan 5, 2026
Merged

fix: decode paths before matching#174
Eomm merged 2 commits into
mainfrom
fix/decode-paths-before-matching

Conversation

@mcollina
Copy link
Copy Markdown
Member

@mcollina mcollina commented Jan 3, 2026

URL-encoded paths could bypass middleware (e.g., /%61dmin would bypass middleware registered on /admin). This uses FindMyWay.sanitizeUrlPath() to decode URLs before Express matches middleware, consistent with the fix in fastify/middie#245.

Checklist

@mcollina
fix: decode paths before matching
6883439 
URL-encoded paths could bypass middleware (e.g., /%61dmin would bypass
middleware registered on /admin). This uses FindMyWay.sanitizeUrlPath()
to decode URLs before Express matches middleware, consistent with the
fix in fastify/middie#245.
@mcollina mcollina requested a review from Eomm January 3, 2026 17:05
@mcollina mcollina requested a review from gurgunday January 5, 2026 18:20
@Eomm Eomm merged commit dc02a3f into main Jan 5, 2026
29 of 31 checks passed
@Eomm Eomm deleted the fix/decode-paths-before-matching branch January 5, 2026 18:49
@bjohansebas bjohansebas mentioned this pull request Jan 8, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 1, 2026

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators May 1, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Eomm Eomm Eomm approved these changes

@gurgunday gurgunday Awaiting requested review from gurgunday

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mcollina @Eomm