fix: encode URL user-inputted Ids to prevent injection

lib/typesense/alias.rb

@@ -18,7 +18,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Aliases::RESOURCE_PATH}/#{@name}"
+      "#{Aliases::RESOURCE_PATH}/#{ERB::Util.url_encode(@name)}"
     end
   end
 end

lib/typesense/aliases.rb

@@ -24,7 +24,7 @@ def [](alias_name)
     private
 
     def endpoint_path(alias_name)
-      "#{Aliases::RESOURCE_PATH}/#{alias_name}"
+      "#{Aliases::RESOURCE_PATH}/#{ERB::Util.url_encode(alias_name)}"
     end
   end
 end

lib/typesense/analytics_rule.rb

@@ -18,7 +18,7 @@ def delete
     private
 
     def endpoint_path
-      "#{AnalyticsRules::RESOURCE_PATH}/#{@rule_name}"
+      "#{AnalyticsRules::RESOURCE_PATH}/#{ERB::Util.url_encode(@rule_name)}"
     end
   end
 end

lib/typesense/analytics_rules.rb

@@ -24,7 +24,7 @@ def [](rule_name)
     private
 
     def endpoint_path(operation = nil)
-      "#{AnalyticsRules::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
+      "#{AnalyticsRules::RESOURCE_PATH}#{operation.nil? ? '' : "/#{ERB::Util.url_encode(operation)}"}"
     end
   end
 end

lib/typesense/collection.rb

@@ -27,7 +27,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Collections::RESOURCE_PATH}/#{@name}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@name)}"
     end
   end
 end

lib/typesense/document.rb

@@ -23,7 +23,7 @@ def update(partial_document, options = {})
     private
 
     def endpoint_path
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Documents::RESOURCE_PATH}/#{@document_id}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Documents::RESOURCE_PATH}/#{ERB::Util.url_encode(@document_id)}"
     end
   end
 end

lib/typesense/documents.rb

@@ -75,7 +75,7 @@ def delete(query_parameters = {})
     private
 
     def endpoint_path(operation = nil)
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Documents::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Documents::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
     end
   end
 end

lib/typesense/key.rb

@@ -18,7 +18,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Keys::RESOURCE_PATH}/#{@id}"
+      "#{Keys::RESOURCE_PATH}/#{ERB::Util.url_encode(@id)}"
     end
   end
 end

lib/typesense/override.rb

@@ -19,7 +19,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Overrides::RESOURCE_PATH}/#{@override_id}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Overrides::RESOURCE_PATH}/#{ERB::Util.url_encode(@override_id)}"
     end
   end
 end

lib/typesense/overrides.rb

@@ -25,7 +25,7 @@ def [](override_id)
     private
 
     def endpoint_path(operation = nil)
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Overrides::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Overrides::RESOURCE_PATH}#{operation.nil? ? '' : "/#{ERB::Util.url_encode(operation)}"}"
     end
   end
 end

lib/typesense/preset.rb

@@ -18,7 +18,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Presets::RESOURCE_PATH}/#{@preset_name}"
+      "#{Presets::RESOURCE_PATH}/#{ERB::Util.url_encode(@preset_name)}"
     end
   end
 end

lib/typesense/presets.rb

@@ -24,7 +24,7 @@ def [](preset_name)
     private
 
     def endpoint_path(operation = nil)
-      "#{Presets::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
+      "#{Presets::RESOURCE_PATH}#{operation.nil? ? '' : "/#{ERB::Util.url_encode(operation)}"}"
     end
   end
 end

lib/typesense/synonym.rb

@@ -19,7 +19,7 @@ def delete
     private
 
     def endpoint_path
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Synonyms::RESOURCE_PATH}/#{@synonym_id}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Synonyms::RESOURCE_PATH}/#{ERB::Util.url_encode(@synonym_id)}"
     end
   end
 end

lib/typesense/synonyms.rb

@@ -25,7 +25,7 @@ def [](synonym_id)
     private
 
     def endpoint_path(operation = nil)
-      "#{Collections::RESOURCE_PATH}/#{@collection_name}#{Synonyms::RESOURCE_PATH}#{operation.nil? ? '' : "/#{operation}"}"
+      "#{Collections::RESOURCE_PATH}/#{ERB::Util.url_encode(@collection_name)}#{Synonyms::RESOURCE_PATH}#{operation.nil? ? '' : "/#{ERB::Util.url_encode(operation)}"}"
     end
   end
 end

spec/typesense/alias_spec.rb

@@ -4,7 +4,9 @@
 require_relative 'shared_configuration_context'
 
 describe Typesense::Alias do
-  subject(:books_alias) { typesense.aliases['books'] }
+  subject(:client) { typesense }
+
+  let(:books_alias) { typesense.aliases['books'] }
 
   include_context 'with Typesense configuration'
 
@@ -21,6 +23,19 @@
 
       expect(result).to eq('collection_name' => 'books_january')
     end
+
+    it 'returns the specified alias with URI encoded name' do
+      stub_request(:get, Typesense::ApiCall.new(typesense.configuration).send(:uri_for, '/aliases/abc123%3F%3D%2B-_!%40%23%24%25%5E%26*()~%20%2F', typesense.configuration.nodes[0]))
+        .with(headers: {
+                'X-Typesense-Api-Key' => typesense.configuration.api_key,
+                'Content-Type' => 'application/json'
+              })
+        .to_return(status: 200, body: JSON.dump('collection_name' => 'books_january'), headers: { 'Content-Type': 'application/json' })
+
+      result = client.aliases["abc123?=+-_!@\#$%^&*()~ /"].retrieve
+
+      expect(result).to eq('collection_name' => 'books_january')
+    end
   end
 
   describe '#delete' do