Update with PR suggestions

Kem-Gov · Kem-Gov · commit d564f6f3eb99 · 2025-11-26T16:41:35.000Z
diff --git a/utils/url/url.go b/utils/url/url.go
@@ -16,24 +16,25 @@ const (
 	minimumPathParameterLength = 3
 )
 
-var validParamRegex = regexp.MustCompile(`^\{[A-Za-z0-9_-]+\}$`)
+// Section 3.3 of RFC3986 details valid characters for path segments (see https://datatracker.ietf.org/doc/html/rfc3986#section-3.3)
+var validPathRegex = regexp.MustCompile(`^(?:[A-Za-z0-9._~\-!$&'()*+,;=:@{}]|%[0-9A-Fa-f]{2})+$`)
 
-// The expected signature for path segment matcher functions.
+// PathSegmentMatcherFunc defines the signature for path segment matcher functions.
 type PathSegmentMatcherFunc = func(segmentA, segmentB string) (match bool, err error)
 
 // ValidatePathParameter checks whether a path parameter is valid. An error is returned if it is invalid.
 // Version 3.1.0 of the OpenAPI spec provides some guidance for path parameter values (see https://spec.openapis.org/oas/v3.1.0.html#path-templating)
 func ValidatePathParameter(parameter string) error {
-	if reflection.IsEmpty(parameter) || len(parameter) < minimumPathParameterLength {
-		return commonerrors.Newf(commonerrors.ErrInvalid, "parameter segment %q must have length greater than or equal to three", parameter)
+	if !IsPathParameter(parameter) {
+		return commonerrors.Newf(commonerrors.ErrInvalid, "parameter %q must not be empty, cannot contain only whitespaces, have a length greater than or equal to three, start with an opening brace, and end with a closing brace", parameter)
 	}
 
 	unescapedSegment, err := netUrl.PathUnescape(parameter)
 	if err != nil {
 		return commonerrors.WrapErrorf(commonerrors.ErrInvalid, err, "an error occurred during path unescaping for parameter %q", parameter)
 	}
 
-	if !validParamRegex.MatchString(unescapedSegment) {
+	if !validPathRegex.MatchString(unescapedSegment) {
 		return commonerrors.Newf(commonerrors.ErrInvalid, "parameter %q unescaped to %q can only contain alphanumeric characters, dashes, underscores, and a single pair of braces", parameter, unescapedSegment)
 	}
 
@@ -42,7 +43,19 @@ func ValidatePathParameter(parameter string) error {
 
 // IsPathParameter checks whether the parameter string is a path parameter as described by the OpenAPI spec (see https://spec.openapis.org/oas/v3.0.0.html#path-templating).
 func IsPathParameter(parameter string) bool {
-	return !reflection.IsEmpty(parameter) && strings.HasPrefix(parameter, "{") && strings.HasSuffix(parameter, "}")
+	if reflection.IsEmpty(parameter) {
+		return false
+	}
+
+	if len(parameter) < minimumPathParameterLength {
+		return false
+	}
+
+	if !strings.HasPrefix(parameter, "{") || !strings.HasSuffix(parameter, "}") {
+		return false
+	}
+
+	return strings.Count(parameter, "{") == 1 && strings.Count(parameter, "}") == 1
 }
 
 // HasMatchingPathSegments checks whether two path strings match based on their segments by doing a simple equality check on each path segment pair.
diff --git a/utils/url/url_test.go b/utils/url/url_test.go
@@ -27,12 +27,17 @@ func TestUrl_IsPathParameter(t *testing.T) {
 			true,
 		},
 		{
-			"missing left brace",
+			"only whitespace",
+			"  ",
+			false,
+		},
+		{
+			"missing opening brace",
 			"abc}",
 			false,
 		},
 		{
-			"missing right brace",
+			"missing closing brace",
 			"{abc",
 			false,
 		},
@@ -41,6 +46,11 @@ func TestUrl_IsPathParameter(t *testing.T) {
 			"abc",
 			false,
 		},
+		{
+			"contains multiple braces",
+			"{{abc}}",
+			false,
+		},
 		{
 			"with encoded asterisk",
 			"{abc%2A123}", // unescaped as '{abc*123}'
@@ -51,6 +61,11 @@ func TestUrl_IsPathParameter(t *testing.T) {
 			"{%20abc%20}", // unescaped as '{ abc }'
 			true,
 		},
+		{
+			"with valid special characters",
+			"{abc$123.zzz~999}",
+			true,
+		},
 	}
 
 	for i := range tests {
@@ -72,18 +87,23 @@ func TestUrl_ValidatePathParameter(t *testing.T) {
 			"{abc}",
 			nil,
 		},
+		{
+			"with valid special characters",
+			"{abc.-_+$@!123(a)}",
+			nil,
+		},
 		{
 			"with encoded underscore",
 			"{abc%5F1}", // unescaped as '{abc_1}'
 			nil,
 		},
 		{
-			"missing left brace",
+			"missing opening brace",
 			"abc}",
 			commonerrors.ErrInvalid,
 		},
 		{
-			"missing right brace",
+			"missing closing brace",
 			"{abc",
 			commonerrors.ErrInvalid,
 		},
@@ -92,9 +112,19 @@ func TestUrl_ValidatePathParameter(t *testing.T) {
 			"abc",
 			commonerrors.ErrInvalid,
 		},
+		{
+			"contains multiple braces",
+			"{{abc}}",
+			commonerrors.ErrInvalid,
+		},
 		{
 			"with encoded asterisk",
 			"{abc%2A123}", // unescaped as '{abc*123}'
+			nil,
+		},
+		{
+			"with encoded hash",
+			"{abc%23123}", // unescaped as '{abc#123}'
 			commonerrors.ErrInvalid,
 		},
 		{
