Skip to content

fix(backend): incomplete string escaping or encoding#1666

Merged
tyler-dane merged 1 commit intomainfrom
alert-autofix-44
Apr 23, 2026
Merged

fix(backend): incomplete string escaping or encoding#1666
tyler-dane merged 1 commit intomainfrom
alert-autofix-44

Conversation

@tyler-dane
Copy link
Copy Markdown
Contributor

@tyler-dane tyler-dane commented Apr 23, 2026

Potential fix for https://github.com/SwitchbackTech/compass/security/code-scanning/44

Use URL decoding for the captured path segment instead of manually replacing a single token.

Best fix in this file (packages/backend/src/common/services/gcal/gcal.utils.ts), around getEmailFromUrl lines 38–45:

  • Replace emailMatch[1].replace("%40", "@") with decodeURIComponent(emailMatch[1]).
  • Wrap decoding in try/catch so malformed percent-encoding doesn’t throw and break flow; return null on decode failure (same fallback style as current function).

This preserves existing behavior for valid inputs and improves correctness for all encoded characters (including multiple %40 occurrences).

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@tyler-dane @github-advanced-security
Potential fix for code scanning alert no. 44: Incomplete string escap…
ee431bd 
…ing or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@tyler-dane tyler-dane mentioned this pull request Apr 23, 2026
Merged
2 tasks
@tyler-dane tyler-dane marked this pull request as ready for review April 23, 2026 18:41
@tyler-dane tyler-dane changed the title Potential fix for code scanning alert no. 44: Incomplete string escaping or encoding fix(backend): incomplete string escaping or encoding Apr 23, 2026
@tyler-dane tyler-dane merged commit 6b3cfed into main Apr 23, 2026
7 of 8 checks passed
@tyler-dane tyler-dane deleted the alert-autofix-44 branch April 23, 2026 18:41
tyler-dane added a commit that referenced this pull request Apr 23, 2026
@tyler-dane @claude
test(backend): add coverage for getEmailFromUrl decoding edge cases (#…
8eef9a1 
…1667)

Tests for PR #1666 which replaces manual %40 replacement with decodeURIComponent:
validates multi-char decoding, malformed percent-encoding null fallback, and
missing calendar segment.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tyler-dane