From dfc42819cbf09a5a208ca9591a13e5a01b1a9f47 Mon Sep 17 00:00:00 2001
From: Ben McCann <322311+benmccann@users.noreply.github.com>
Date: Mon, 24 Apr 2023 12:43:16 -0700
Subject: [PATCH] fix: decodeURI <- decodeURIComponent (#149)

* fix: correctly decode path

* chore: add tests

---------

Co-authored-by: Luke Edwards <luke.edwards05@gmail.com>
---
 packages/sirv/index.js |  2 +-
 tests/sirv.js          | 32 ++++++++++++++++++++++++++++++--
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/packages/sirv/index.js b/packages/sirv/index.js
index c4a3538..c93bbe6 100644
--- a/packages/sirv/index.js
+++ b/packages/sirv/index.js
@@ -172,7 +172,7 @@ export default function (dir, opts={}) {
 		extns.push(...extensions); // [...br, ...gz, orig, ...exts]
 
 		if (pathname.indexOf('%') !== -1) {
-			try { pathname = decodeURIComponent(pathname) }
+			try { pathname = decodeURI(pathname) }
 			catch (err) { /* malform uri */ }
 		}
 
diff --git a/tests/sirv.js b/tests/sirv.js
index d378111..3e94e67 100644
--- a/tests/sirv.js
+++ b/tests/sirv.js
@@ -123,7 +123,7 @@ encode('should work when the request path contains encoded characters :: prod',
 	}
 });
 
-encode(`should work when the request path contains space encoded :: dev`, async () => {
+encode('should work when the request path contains space encoded :: dev', async () => {
 	let server = utils.http({ dev:  true });
 
 	try {
@@ -136,7 +136,7 @@ encode(`should work when the request path contains space encoded :: dev`, async
 	}
 });
 
-encode(`should work when the request path contains space encoded :: prod`, async () => {
+encode('should work when the request path contains space encoded :: prod', async () => {
 	let server = utils.http({ dev: false });
 
 	try {
@@ -149,6 +149,34 @@ encode(`should work when the request path contains space encoded :: prod`, async
 	}
 });
 
+encode('should not treat "/foo%2Fbar.txt" the same as "/foo.bar.txt" path :: dev', async () => {
+	let server = utils.http({ dev: true });
+
+	try {
+		let res1 = await server.send('GET', '/about/index.htm');
+		assert.is(res1.statusCode, 200);
+
+		let res2 = await server.send('GET', '/about%2Findex.htm').catch(r => r);
+		assert.is(res2.statusCode, 404);
+	} finally {
+		server.close();
+	}
+});
+
+encode('should not treat "/foo%2Fbar.txt" the same as "/foo.bar.txt" path :: prod', async () => {
+	let server = utils.http({ dev: false });
+
+	try {
+		let res1 = await server.send('GET', '/about/index.htm');
+		assert.is(res1.statusCode, 200);
+
+		let res2 = await server.send('GET', '/about%2Findex.htm').catch(r => r);
+		assert.is(res2.statusCode, 404);
+	} finally {
+		server.close();
+	}
+});
+
 encode.run();
 
 // ---