Skip to content

fix: preserve unreserved path ID characters#865

Closed
zerone0x wants to merge 2 commits into
googleworkspace:mainfrom
zerone0x:fix/issue-842-script-id-encoding
Closed

fix: preserve unreserved path ID characters#865
zerone0x wants to merge 2 commits into
googleworkspace:mainfrom
zerone0x:fix/issue-842-script-id-encoding

Conversation

@zerone0x

@zerone0x zerone0x commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes #842

Preserve RFC 3986 unreserved characters in path parameter encoding so Apps Script IDs containing - and _ stay valid in script scripts run URLs.

Changes

  • Replace the overly strict NON_ALPHANUMERIC encode set with a path-segment encode set that leaves -, ., _, and ~ intact.
  • Keep URL-structure characters such as /, ?, #, %, @, and = percent-encoded.
  • Add a regression test using the scriptId shape from the issue.

Test Plan

  • cargo fmt -- --check
  • cargo test -q validate::tests::test_encode_path_segment_preserves_unreserved_script_id (blocked in this environment: linker cc is not installed, so Rust build scripts for dependencies fail before tests compile)
  • cargo test -q (same linker blocker)

Fixes googleworkspace#842

Co-Authored-By: bridge <bridge@nousresearch.com>
@changeset-bot

changeset-bot Bot commented Jul 5, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: c3d73f1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request modifies the URL path segment encoding logic to prevent unnecessary percent-encoding of RFC 3986 unreserved characters. By replacing the overly restrictive encoding set, the change ensures that identifiers containing dashes and underscores remain intact, which is critical for maintaining valid URLs for Apps Script operations.

Highlights

  • URL Encoding Update: Updated the encode_path_segment function to adhere to RFC 3986, ensuring that unreserved characters like -, ., _, and ~ are preserved rather than percent-encoded.
  • Regression Testing: Added a new test case to verify that Apps Script IDs containing special characters remain valid after encoding.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@google-cla

google-cla Bot commented Jul 5, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@zerone0x

zerone0x commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #867, which is rebased onto upstream main to avoid the fork branch conflict.

@zerone0x zerone0x closed this Jul 5, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates encode_path_segment in src/validate.rs to preserve RFC 3986 unreserved characters (-, ., _, ~) instead of encoding all non-alphanumeric characters. The reviewer pointed out that manually constructing the encode set from CONTROLS is error-prone and leaves characters like & unencoded, potentially allowing query parameter injection. A cleaner and safer approach was suggested to start from NON_ALPHANUMERIC and remove the four unreserved characters.

Comment thread src/validate.rs
Comment on lines +175 to +199
use percent_encoding::{utf8_percent_encode, AsciiSet, CONTROLS};

const PATH_SEGMENT_ENCODE_SET: &AsciiSet = &CONTROLS
.add(b' ')
.add(b'"')
.add(b'#')
.add(b'%')
.add(b'<')
.add(b'>')
.add(b'?')
.add(b'`')
.add(b'{')
.add(b'}')
.add(b'/')
.add(b':')
.add(b';')
.add(b'=')
.add(b'@')
.add(b'[')
.add(b'\\')
.add(b']')
.add(b'^')
.add(b'|');

utf8_percent_encode(s, PATH_SEGMENT_ENCODE_SET).to_string()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

Defining the encode set by manually adding individual characters to CONTROLS is verbose, error-prone, and accidentally leaves characters like & (and other sub-delimiters like +, !, $, etc.) unencoded. Leaving & unencoded in a path segment allows query parameter injection (e.g., if an ID contains ?fields=name&alt=json, the &alt=json portion will be treated as a query parameter of the outer request rather than part of the path segment).

Instead, define the encode set by starting from NON_ALPHANUMERIC and removing only the four RFC 3986 unreserved characters (-, ., _, ~). This is much cleaner, safer, and perfectly aligns with the goal of leaving only those four characters intact.

Suggested change
use percent_encoding::{utf8_percent_encode, AsciiSet, CONTROLS};
const PATH_SEGMENT_ENCODE_SET: &AsciiSet = &CONTROLS
.add(b' ')
.add(b'"')
.add(b'#')
.add(b'%')
.add(b'<')
.add(b'>')
.add(b'?')
.add(b'`')
.add(b'{')
.add(b'}')
.add(b'/')
.add(b':')
.add(b';')
.add(b'=')
.add(b'@')
.add(b'[')
.add(b'\\')
.add(b']')
.add(b'^')
.add(b'|');
utf8_percent_encode(s, PATH_SEGMENT_ENCODE_SET).to_string()
use percent_encoding::{utf8_percent_encode, AsciiSet, NON_ALPHANUMERIC};
const PATH_SEGMENT_ENCODE_SET: &AsciiSet = &NON_ALPHANUMERIC
.remove(b'-')
.remove(b'.')
.remove(b'_')
.remove(b'~');
utf8_percent_encode(s, PATH_SEGMENT_ENCODE_SET).to_string()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

script scripts run percent-encodes unreserved characters in scriptId path parameter, causing 404

1 participant