fix: decode url with query params (#178)

* fix: decode url with query params

* fix: refacto form data test to be idempotent

Author: nolway

index.js

@@ -2,7 +2,6 @@
 
 const fp = require('fastify-plugin')
 const Express = require('express')
-const FindMyWay = require('find-my-way')
 const kMiddlewares = Symbol('fastify-express-middlewares')
 
 function fastifyExpress (fastify, options, next) {
@@ -43,9 +42,7 @@ function fastifyExpress (fastify, options, next) {
 
     const { url } = req.raw
 
-    const decodedUrl = FindMyWay.sanitizeUrlPath(url)
-    // Decode URL before Express matches middleware to prevent encoded path bypass
-    // e.g., /%61dmin should match middleware registered on /admin
+    const decodedUrl = decodeURI(url)
     req.raw.url = decodedUrl
     req.raw.originalUrl = url
     req.raw.id = req.id

package.json

@@ -76,8 +76,7 @@
   },
   "dependencies": {
     "express": "^4.18.3",
-    "fastify-plugin": "^5.0.0",
-    "find-my-way": "^9.4.0"
+    "fastify-plugin": "^5.0.0"
   },
   "tsd": {
     "directory": "test/types"

test/enhance-request.test.js

@@ -56,6 +56,26 @@ test('trust proxy protocol', async (t) => {
   })
 })
 
+test('query params still in in the request url after decodeURI', async (t) => {
+  t.plan(2)
+  const fastify = Fastify()
+
+  t.after(() => fastify.close())
+
+  fastify.register(expressPlugin).after(() => {
+    fastify.use('/admin', function (req, res) {
+      t.assert.deepStrictEqual(req.originalUrl, '/%61dmin?test=%76alue&test2=%76alue', 'originalUrl is not decoded')
+      t.assert.deepStrictEqual(req.url, '/admin?test=value&test2=value', 'url is decoded')
+
+      res.sendStatus(200)
+    })
+  })
+
+  const address = await fastify.listen({ port: 0 })
+
+  await fetch(`${address}/%61dmin?test=%76alue&test2=%76alue`)
+})
+
 test('passing createProxyHandler sets up a Proxy with Express req', async t => {
   t.plan(6)
   const testString = 'test proxy'

test/form-data.test.js

@@ -75,7 +75,8 @@ test('POST request with form body and without body-parser works', async t => {
 })
 
 test('POST request with form body and body-parser hangs up', async t => {
-  t.plan(2)
+  t.plan(3)
+
   const fastify = Fastify()
   const express = Express()
   t.after(() => fastify.close())
@@ -85,24 +86,25 @@ test('POST request with form body and body-parser hangs up', async t => {
     .after(() => {
       express.use(bodyParser.urlencoded({ extended: false }))
       fastify.use(express)
-      fastify.use((req, _res, next) => {
-        // body-parser result
-        t.assert.deepStrictEqual(req.body, { input: 'test' })
-        next()
-      })
-    })
 
-  fastify.post('/hello', () => {
-    return { hello: 'world' }
-  })
+      fastify.use((_req, _res, next) => next())
+    })
 
+  fastify.post('/hello', () => ({ hello: 'world' }))
   const address = await fastify.listen({ port: 0 })
 
-  await t.assert.rejects(() => fetch(address + '/hello', {
-    method: 'post',
-    body: new URLSearchParams({ input: 'test' }),
-    signal: AbortSignal.timeout(5)
-  }), 'Request timed out')
+  await t.assert.rejects(
+    () => fetch(address + '/hello', {
+      method: 'post',
+      body: new URLSearchParams({ input: 'test' }),
+      signal: AbortSignal.timeout(200)
+    }),
+    (err) => {
+      t.assert.equal(err?.name, 'TimeoutError')
+      t.assert.ok(err)
+      return true
+    }
+  )
 })
 
 test('POST request with form body and body-parser hangs up, compatibility case', async t => {