feat: protect URL path integrity from unsafe interpolated values

Path parameters containing `/`, `#`, or other reserved characters would corrupt the URL structure. A tagged template literal now applies encodeURIComponent to all interpolated path segments. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
block65 · maxholman · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
commit 0d966b2cfae272e629b5d5880d79337b1cb2fa9f
diff --git a/lib/process-document.ts b/lib/process-document.ts
@@ -136,6 +136,30 @@ export async function processOpenApiDocument(
 		moduleSpecifier: "@block65/rest-client",
 	});
 
+	commandsFile.addFunction({
+		name: "encodePath",
+		docs: [
+			{
+				description: wordWrap(
+					"Tagged template literal that applies encodeURIComponent to all interpolated values, protecting path integrity from characters like `/` and `#`.",
+				),
+				tags: [
+					{
+						tagName: "example",
+						text: 'encodePath`/users/${userId}` // "/users/foo%2Fbar"',
+					},
+				],
+			},
+		],
+		parameters: [
+			{ name: "strings", type: "TemplateStringsArray" },
+			{ name: "...values", type: "string[]" },
+		],
+		returnType: "string",
+		statements:
+			"return String.raw({ raw: strings }, ...values.map(encodeURIComponent));",
+	});
+
 	commandsFile.addImportDeclaration({
 		namedImports: ["Jsonifiable"],
 		moduleSpecifier: "type-fest",
@@ -786,9 +810,10 @@ export async function processOpenApiDocument(
 							?.addTypeArgument(queryType.getName());
 					}
 
-					const pathname = `\`${path
-						// .replaceAll(/\{(\w+)\}/g, camelcase)
-						.replaceAll(/{/g, "${")}\``;
+					const hasPathParams = path.includes("{");
+					const pathname = hasPathParams
+						? `encodePath\`${path.replaceAll(/{/g, "${")}\``
+						: `"${path}"`;
 
 					const hasJsonBody = !!jsonBodyType;