URL-encode query parameter values in APIClient._add_params #20

New Issue

Closed

opened 2026-02-20 06:49:04 +00:00 by cal · 2 comments

cal commented 2026-02-20 06:49:04 +00:00

Owner

Copy Link

Description

api/client.py:101 — _add_params builds query strings by simple string concatenation (f"{key}={value}"). Values are not passed through urllib.parse.quote. Path segments (object_id) are correctly encoded with quote(). If any query parameter value contains &, =, #, or spaces (e.g., a player name), the resulting URL will be malformed. Fix: use urllib.parse.urlencode(params).

File Locations

• api/client.py:101

Labels

bug, security

Priority

high

## Description `api/client.py:101` — `_add_params` builds query strings by simple string concatenation (`f"{key}={value}"`). Values are not passed through `urllib.parse.quote`. Path segments (`object_id`) are correctly encoded with `quote()`. If any query parameter value contains `&`, `=`, `#`, or spaces (e.g., a player name), the resulting URL will be malformed. Fix: use `urllib.parse.urlencode(params)`. ## File Locations - `api/client.py:101` ## Labels bug, security ## Priority high

cal referenced this issue from a commit 2026-02-20 16:39:04 +00:00

fix: address 7 security issues across the codebase

cal commented 2026-02-20 16:48:26 +00:00

Author

Owner

Copy Link

Addressed in commit f4be20a on next-release branch. Will be closed when merged to main.

Addressed in commit f4be20a on `next-release` branch. Will be closed when merged to main.

cal commented 2026-02-20 16:48:33 +00:00

Author

Owner

Copy Link

Addressed in commit f4be20a on next-release branch. Will be closed when merged to main.

Addressed in commit `f4be20a` on `next-release` branch. Will be closed when merged to main.

cal closed this issue 2026-02-20 20:29:06 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/submit-modal-missing-logger

ai/major-domo-v2-91

ai/major-domo-v2-82

fix/scorecard-submission-resilience

fix/utc-timezone-scheduling

fix/scorebug-bugs

2026.3.13

2026.3.12

2026.3.11

2026.3.10

2026.3.9

2026.3.8

2026.3.7

2026.3.6

2026.3.5

2026.3.4

2026.3.3

2026.3.2

2026.3.1

2026.2.5

2026.2.4

2026.2.3

2026.2.2

2026.2.1

Labels

Clear labels   

ai-changes-requested

  

ai-pr-opened

  

ai-reviewed

  

ai-reviewing

  

ai-working

  

in-next-release

Fix included in the next-release branch, pending merge to main

  

status/in-progress

Work is actively in progress

  

status/pr-open

A pull request has been opened for this issue

No Label

ai-changes-requested

ai-pr-opened

ai-reviewed

ai-reviewing

ai-working

in-next-release

status/in-progress

status/pr-open

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/major-domo-v2#20

No description provided.