Merge pull request #33 from phiHero/master

fix: encode URL user-inputted Ids to prevent injection

Author: jasonbosco

lib/typesense/alias.rb

@@ -18,7 +18,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Aliases::RESOURCE_PATH}/#{@name}"
+      "#{Aliases::RESOURCE_PATH}/#{ERB::Util.url_encode(@name)}"
     end
   end
 end

lib/typesense/aliases.rb

@@ -24,7 +24,7 @@ def [](alias_name)
     private
 
     def endpoint_path(alias_name)
-      "#{Aliases::RESOURCE_PATH}/#{alias_name}"
+      "#{Aliases::RESOURCE_PATH}/#{ERB::Util.url_encode(alias_name)}"
     end
   end
 end

lib/typesense/analytics_rule.rb

@@ -18,7 +18,7 @@ def delete
     private
 
     def endpoint_path
-      "#{AnalyticsRules::RESOURCE_PATH}/#{@rule_name}"
+      "#{AnalyticsRules::RESOURCE_PATH}/#{ERB::Util.url_encode(@rule_name)}"
     end
   end
 end

lib/typesense/analytics_rules.rb

@@ -24,7 +24,7 @@ def [](rule_name)
     private
 
     def endpoint_path(operation = nil)
-      "#{AnalyticsRules::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
+      "#{AnalyticsRules::RESOURCE_PATH}#{operation.nil? ? '' : "/#{ERB::Util.url_encode(operation)}"}"
     end
   end
 end

lib/typesense/collection.rb

@@ -27,7 +27,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Collections::RESOURCE_PATH}/#{@name}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@name)}"
     end
   end
 end

lib/typesense/document.rb

@@ -23,7 +23,7 @@ def update(partial_document, options = {})
     private
 
     def endpoint_path
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Documents::RESOURCE_PATH}/#{@document_id}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Documents::RESOURCE_PATH}/#{ERB::Util.url_encode(@document_id)}"
     end
   end
 end

lib/typesense/documents.rb

@@ -75,7 +75,7 @@ def delete(query_parameters = {})
     private
 
     def endpoint_path(operation = nil)
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Documents::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Documents::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
     end
   end
 end

lib/typesense/key.rb

@@ -18,7 +18,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Keys::RESOURCE_PATH}/#{@id}"
+      "#{Keys::RESOURCE_PATH}/#{ERB::Util.url_encode(@id)}"
     end
   end
 end

lib/typesense/override.rb

@@ -19,7 +19,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Overrides::RESOURCE_PATH}/#{@override_id}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Overrides::RESOURCE_PATH}/#{ERB::Util.url_encode(@override_id)}"
     end
   end
 end

lib/typesense/overrides.rb

@@ -25,7 +25,7 @@ def [](override_id)
     private
 
     def endpoint_path(operation = nil)
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Overrides::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Overrides::RESOURCE_PATH}#{operation.nil? ? '' : "/#{ERB::Util.url_encode(operation)}"}"
     end
   end
 end