URI-encoded path parameters get broken

[TorstenForth]

Hi,

I submit a string containing the '/' character with Swagger UI in the browser (as a path parameter).
When I receive the string in req.params, the string contains the URI-encoded '%2F'.

I was debugging into the source code and found out that the req.params (which are URI-decoded by Express) are overwritten with the original (not URI-decoded) values.
The params are overwritten in the file src/index.ts, line 140 of Commit 00273f7

``

  if (openapi?.pathParams) {
    const { pathParams } = openapi;
    // override path params
    req.params[name] = pathParams[name] || req.params[name];
  }

``

[cdimascio]

@TorstenForth thanks for the issue. perhaps the validator (like express) must also decode the path param prior to overriding it. is this effectively what you are suggesting? also if you feel so inclined, feel free to make the change and submit a PR. i'm happy to review

[TorstenForth]

@cdimascio Thanks for the quick reply. Decoding the path params would work for me. I'm not familiar with the internals of the validator. Why are the parameters actually overwritten?

Is it ok to change line 140 to
req.params[name] = decodeURIComponent(pathParams[name]) || req.params[name];?

I tried to push a branch with the fix for the pull request but I gut a 'Permission denied' error.

[cdimascio]

Sure, please give that a try. If all 200+ tests pass, we should be good shape, but i'll review to be sure.

To create the PR
tldr

• Find a project you want to contribute to
• Fork it
• Clone it to your local system
• Make a new branch
• Make your changes
• Push it back to your repo
• From the Github UI, Click the Compare & pull request button (NOTE: this button will be present for some window of time after you pushed. If the button no longer appears, click pull request button and choose branches manually)
• From the Github UI, Click Create pull request to open a new pull request

Detailed steps with example here:

(I'll add this process to CONTRIBUTING.md as other have also asked)

it's done to keep the params synced with the spec schema, code

[cdimascio]

Also, if you don't, please provide the relevant aspects of your spec, your express handler function, and the http call you are making. this will help me to repro

[cdimascio]

If your change does not work, another thing to try might be to modify
openapi.metadata.ts line 55. This is where the path param value is extracted. It may need to be decoded there as it's much earlier in the process. the override occurs very late.

something like

const paramsVals = matchedRoute.slice(1).map(decodeURIComponent);

[cdimascio]

@TorstenForth i had a look at this issue. it should be resolved now. see v3.9.4. let me know how it goes. thanks!

[TorstenForth]

@cdimascio Thank you very much. It works well now.