Skip to content

fix: decode paths before matching #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Eomm merged 2 commits into from
Jan 5, 2026
Merged

fix: decode paths before matching #174

Eomm merged 2 commits into from
Jan 5, 2026

Conversation

@mcollina
Copy link
Member

@mcollina mcollina commented Jan 3, 2026

URL-encoded paths could bypass middleware (e.g., /%61dmin would bypass middleware registered on /admin). This uses FindMyWay.sanitizeUrlPath() to decode URLs before Express matches middleware, consistent with the fix in fastify/middie#245.

Checklist

@mcollina
fix: decode paths before matching
6883439 
URL-encoded paths could bypass middleware (e.g., /%61dmin would bypass
middleware registered on /admin). This uses FindMyWay.sanitizeUrlPath()
to decode URLs before Express matches middleware, consistent with the
fix in fastify/middie#245.
@mcollina mcollina requested a review from Eomm January 3, 2026 17:05
@mcollina mcollina requested a review from gurgunday January 5, 2026 18:20
@Eomm Eomm merged commit dc02a3f into main Jan 5, 2026
29 of 31 checks passed
@Eomm Eomm deleted the fix/decode-paths-before-matching branch January 5, 2026 18:49
@bjohansebas bjohansebas mentioned this pull request Jan 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Eomm Eomm Eomm approved these changes

@gurgunday gurgunday Awaiting requested review from gurgunday

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mcollina @Eomm