fix: only decode in parseString

Author: jdalton

src/constants.js

@@ -2,6 +2,15 @@
 
 const LOOP_SENTINEL = 1_000_000
 
+const REUSED_SEARCH_PARAMS = new URLSearchParams()
+
+const REUSED_SEARCH_PARAMS_KEY = '_'
+
+const REUSED_SEARCH_PARAMS_OFFSET = 2 // '_='.length
+
 module.exports = {
-    LOOP_SENTINEL
+    LOOP_SENTINEL,
+    REUSED_SEARCH_PARAMS,
+    REUSED_SEARCH_PARAMS_KEY,
+    REUSED_SEARCH_PARAMS_OFFSET
 }

src/decode.js

@@ -0,0 +1,14 @@
+'use strict'
+
+const { decodeURIComponent: decodeURIComponent_ } = globalThis
+
+function decodeURIComponent(encodedURIComponent) {
+    try {
+        return decodeURIComponent_(encodedURIComponent)
+    } catch {}
+    return encodedURIComponent
+}
+
+module.exports = {
+    decodeURIComponent
+}

src/encode.js

@@ -1,12 +1,13 @@
 'use strict'
 
+const {
+    REUSED_SEARCH_PARAMS,
+    REUSED_SEARCH_PARAMS_KEY,
+    REUSED_SEARCH_PARAMS_OFFSET
+} = require('./constants')
 const { isObject } = require('./objects')
 const { isNonEmptyString } = require('./strings')
 
-const reusedSearchParams = new URLSearchParams()
-const reusedSearchParamKey = '_'
-const reusedSearchParamOffset = 2 // '_='.length
-
 const { encodeURIComponent } = globalThis
 
 function encodeNamespace(namespace) {
@@ -22,9 +23,9 @@ function encodeQualifierParam(param) {
         // Param key and value are encoded with `percentEncodeSet` of
         // 'application/x-www-form-urlencoded' and `spaceAsPlus` of `true`.
         // https://url.spec.whatwg.org/#urlencoded-serializing
-        reusedSearchParams.set(reusedSearchParamKey, param)
+        REUSED_SEARCH_PARAMS.set(REUSED_SEARCH_PARAMS_KEY, param)
         return replacePlusSignWithPercentEncodedSpace(
-            reusedSearchParams.toString().slice(reusedSearchParamOffset)
+            REUSED_SEARCH_PARAMS.toString().slice(REUSED_SEARCH_PARAMS_OFFSET)
         )
     }
     return ''

src/normalize.js

@@ -3,17 +3,13 @@
 const { isObject } = require('./objects')
 const { isBlank } = require('./strings')
 
-const { decodeURIComponent } = globalThis
-
 function normalizeName(rawName) {
-    return typeof rawName === 'string'
-        ? decodeURIComponent(rawName).trim()
-        : undefined
+    return typeof rawName === 'string' ? rawName.trim() : undefined
 }
 
 function normalizeNamespace(rawNamespace) {
     return typeof rawNamespace === 'string'
-        ? normalizePath(decodeURIComponent(rawNamespace))
+        ? normalizePath(rawNamespace)
         : undefined
 }
 
@@ -74,22 +70,20 @@ function normalizeQualifiers(rawQualifiers) {
 
 function normalizeSubpath(rawSubpath) {
     return typeof rawSubpath === 'string'
-        ? normalizePath(decodeURIComponent(rawSubpath), subpathFilter)
+        ? normalizePath(rawSubpath, subpathFilter)
         : undefined
 }
 
 function normalizeType(rawType) {
     // The type must NOT be percent-encoded.
     // The type is case insensitive. The canonical form is lowercase.
     return typeof rawType === 'string'
-        ? decodeURIComponent(rawType).trim().toLowerCase()
+        ? rawType.trim().toLowerCase()
         : undefined
 }
 
 function normalizeVersion(rawVersion) {
-    return typeof rawVersion === 'string'
-        ? decodeURIComponent(rawVersion).trim()
-        : undefined
+    return typeof rawVersion === 'string' ? rawVersion.trim() : undefined
 }
 
 function qualifiersToEntries(rawQualifiers) {

src/package-url.js

@@ -21,6 +21,7 @@ SOFTWARE.
 */
 'use strict'
 
+const { decodeURIComponent } = require('./decode')
 const { isObject, recursiveFreeze } = require('./objects')
 const { isBlank, isNonEmptyString, trimLeadingSlashes } = require('./strings')
 
@@ -172,10 +173,11 @@ class PackageURL {
 
         const { pathname } = url
         const firstSlashIndex = pathname.indexOf('/')
-        const rawType =
+        const rawType = decodeURIComponent(
             firstSlashIndex === -1
                 ? pathname
                 : pathname.slice(0, firstSlashIndex)
+        )
         if (firstSlashIndex < 1) {
             return [
                 rawType,
@@ -204,20 +206,24 @@ class PackageURL {
         )
         if (atSignIndex !== -1) {
             // Split the remainder once from right on '@'.
-            rawVersion = pathname.slice(atSignIndex + 1)
+            rawVersion = decodeURIComponent(pathname.slice(atSignIndex + 1))
         }
 
         let rawNamespace
         let rawName
         const lastSlashIndex = beforeVersion.lastIndexOf('/')
         if (lastSlashIndex === -1) {
             // Split the remainder once from right on '/'.
-            rawName = beforeVersion
+            rawName = decodeURIComponent(beforeVersion)
         } else {
             // Split the remainder once from right on '/'.
-            rawName = beforeVersion.slice(lastSlashIndex + 1)
+            rawName = decodeURIComponent(
+                beforeVersion.slice(lastSlashIndex + 1)
+            )
             // Split the remainder on '/'.
-            rawNamespace = beforeVersion.slice(0, lastSlashIndex)
+            rawNamespace = decodeURIComponent(
+                beforeVersion.slice(0, lastSlashIndex)
+            )
         }
 
         let rawQualifiers
@@ -231,7 +237,7 @@ class PackageURL {
         const { hash } = url
         if (hash.length !== 0) {
             // Split the purl string once from right on '#'.
-            rawSubpath = hash.slice(1)
+            rawSubpath = decodeURIComponent(hash.slice(1))
         }
 
         return [

test/data/contrib-tests.json

@@ -142,5 +142,65 @@
     "qualifiers": null,
     "subpath": null,
     "is_invalid": false
+  },
+  {
+    "description": "percent encoded namespace",
+    "purl": "pkg:type/100%/name",
+    "canonical_purl": "pkg:type/100%25/name",
+    "type": "type",
+    "namespace": "100%",
+    "name": "name",
+    "version": null,
+    "qualifiers": null,
+    "subpath": null,
+    "is_invalid": false
+  },
+  {
+    "description": "percent encoded name",
+    "purl": "pkg:type/namespace/100%",
+    "canonical_purl": "pkg:type/namespace/100%25",
+    "type": "type",
+    "namespace": "namespace",
+    "name": "100%",
+    "version": null,
+    "qualifiers": null,
+    "subpath": null,
+    "is_invalid": false
+  },
+  {
+    "description": "percent encoded version",
+    "purl": "pkg:type/namespace/name@100%",
+    "canonical_purl": "pkg:type/namespace/name@100%25",
+    "type": "type",
+    "namespace": "namespace",
+    "name": "name",
+    "version": "100%",
+    "qualifiers": null,
+    "subpath": null,
+    "is_invalid": false
+  },
+  {
+    "description": "percent encoded qualifiers",
+    "purl": "pkg:type/namespace/name@1.0?a=100%",
+    "canonical_purl": "pkg:type/namespace/name@1.0?a=100%25",
+    "type": "type",
+    "namespace": "namespace",
+    "name": "name",
+    "version": "1.0",
+    "qualifiers": { "a": "100%" },
+    "subpath": null,
+    "is_invalid": false
+  },
+  {
+    "description": "percent encoded subpath",
+    "purl": "pkg:type/namespace/name@1.0#100%",
+    "canonical_purl": "pkg:type/namespace/name@1.0#100%25",
+    "type": "type",
+    "namespace": "namespace",
+    "name": "name",
+    "version": "1.0",
+    "qualifiers": null,
+    "subpath": "100%",
+    "is_invalid": false
   }
 ]

test/package-url.spec.js

@@ -169,6 +169,48 @@ describe('PackageURL', function () {
                 testInvalid(paramName)
             })
         })
+
+        it('should not decode params', () => {
+            assert.strictEqual(
+                new PackageURL('type', '%21', 'name').toString(),
+                'pkg:type/%2521/name'
+            )
+            assert.strictEqual(
+                new PackageURL('type', 'namespace', '%21').toString(),
+                'pkg:type/namespace/%2521'
+            )
+            assert.strictEqual(
+                new PackageURL('type', 'namespace', 'name', '%21').toString(),
+                'pkg:type/namespace/name@%2521'
+            )
+            assert.strictEqual(
+                new PackageURL('type', 'namespace', 'name', '1.0', {
+                    a: '%21'
+                }).toString(),
+                'pkg:type/namespace/name@1.0?a=%2521'
+            )
+            assert.strictEqual(
+                new PackageURL(
+                    'type',
+                    'namespace',
+                    'name',
+                    '1.0',
+                    'a=%2521'
+                ).toString(),
+                'pkg:type/namespace/name@1.0?a=%2521'
+            )
+            assert.strictEqual(
+                new PackageURL(
+                    'type',
+                    'namespace',
+                    'name',
+                    '1.0',
+                    null,
+                    '%21'
+                ).toString(),
+                'pkg:type/namespace/name@1.0#%2521'
+            )
+        })
     })
 
     describe('toString()', function () {