fix!: URL-encode path parameters in generated endpoints#1349
Merged
dbanty merged 1 commit intoopenapi-generators:mainfrom Nov 4, 2025
Merged
fix!: URL-encode path parameters in generated endpoints#1349dbanty merged 1 commit intoopenapi-generators:mainfrom
dbanty merged 1 commit intoopenapi-generators:mainfrom
Conversation
dbanty
added
🐞bug
dbanty
changed the title
Path parameters containing reserved characters (/, ?, &, #, spaces, etc.) were being inserted directly into URLs without encoding, causing malformed requests and potential security issues. Changes: - Import urllib.parse.quote in endpoint template - Wrap all path parameters with quote(str(...), safe="") to ensure proper encoding - Add comprehensive tests for various special characters in path parameters This ensures that path parameters are properly percent-encoded according to RFC 3986, preventing URL parsing errors and security vulnerabilities. Fixes cases where path parameters contain: - Slashes (/) -> %2F - Question marks (?) -> %3F - Ampersands (&) -> %26 - Hash/fragments (#) -> %23 - Spaces -> %20 - And other reserved characters
dbanty
force-pushed
the
fix/url-encoding
branch
from
7847cd0 to
a357949
Compare
dbanty
approved these changes
Nov 4, 2025
Collaborator
dbanty
left a comment
dbanty
left a comment
There was a problem hiding this comment.
Seems like the right call, though I will mark as a breaking change since someone was probably relying on the previous unsafe behavior 😓.
Thanks!
Closed
Merged
github-merge-queue bot
pushed a commit
that referenced
this pull request
Dec 3, 2025
> [!IMPORTANT] > Merging this pull request will create this release ## Breaking Changes - URL-encode path parameters in generated endpoints (#1349) ## Fixes ### Fix bad code generation #1360 by @EricAtORS This fixes: - missing parenthesis in to_multipart #1338 #1318 - missing imports in the lazy eval in to_multipart: #931 and #1051 ### Fix optional bodies If a body is not required (the default), it will now: 1. Have `Unset` as part of its type annotation. 2. Default to a value of `UNSET` 3. Not be included in the request if it is `UNSET` Thanks @orelmaliach for the report! Fixes #1354 Co-authored-by: knope-bot[bot] <152252888+knope-bot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Path parameters containing reserved characters were being inserted directly into URLs without encoding, causing malformed requests and potential security issues.
Problem
When path parameters contain special characters like:
/)?)&)#)These were not being URL-encoded, leading to:
Solution
urllib.parse.quotein the endpoint templatequote(str(...), safe="")to ensure proper percent-encodingChanges
openapi_python_client/templates/endpoint_module.py.jinjato add URL encodingend_to_end_tests/functional_tests/generated_code_execution/test_path_parameters.pywith testsTest plan
pdm regenExample
Before:
After: