Properly escape input in the partitioned methods

This is a fix for apache#283. As discussed in that issue, this is probably a breaking change, and may need to wait for the next major version bump. All the other API's in Nano escape their path components (database names, design documents, views, etc.), but for some reason these partitioned ones do not.
swansontec · Nov 18, 2021 · ac7b770 · ac7b770
1 parent 2d4bd71
commit ac7b770
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/lib/nano.js b/lib/nano.js
@@ -1036,7 +1036,7 @@ module.exports = exports = function dbScope (cfg) {
 
       return relax({
         db: dbName,
-        path: '_partition/' + partitionKey
+        path: '_partition/' + encodeURIComponent(partitionKey)
       }, callback)
     }
 
@@ -1047,15 +1047,15 @@ module.exports = exports = function dbScope (cfg) {
       }
       return relax({
         db: dbName,
-        path: '_partition/' + partitionKey + '/_all_docs',
+        path: '_partition/' + encodeURIComponent(partitionKey) + '/_all_docs',
         qs: opts
       }, callback)
     }
 
     function partitionedListAsStream (partitionKey, qs) {
       return relax({
         db: dbName,
-        path: '_partition/' + partitionKey + '/_all_docs',
+        path: '_partition/' + encodeURIComponent(partitionKey) + '/_all_docs',
         qs: qs,
         stream: true
       })
@@ -1068,7 +1068,7 @@ module.exports = exports = function dbScope (cfg) {
 
       return relax({
         db: dbName,
-        path: '_partition/' + partition + '/_find',
+        path: '_partition/' + encodeURIComponent(partition) + '/_find',
         method: 'POST',
         body: query
       }, callback)
@@ -1077,7 +1077,7 @@ module.exports = exports = function dbScope (cfg) {
     function partitionedFindAsStream (partition, query) {
       return relax({
         db: dbName,
-        path: '_partition/' + partition + '/_find',
+        path: '_partition/' + encodeURIComponent(partition) + '/_find',
         method: 'POST',
         body: query,
         stream: true
@@ -1090,15 +1090,15 @@ module.exports = exports = function dbScope (cfg) {
       }
       return relax({
         db: dbName,
-        path: '_partition/' + partition + '/_design/' + ddoc + '/_search/' + searchName,
+        path: '_partition/' + encodeURIComponent(partition) + '/_design/' + encodeURIComponent(ddoc) + '/_search/' + encodeURIComponent(searchName),
         qs: opts
       }, callback)
     }
 
     function partitionedSearchAsStream (partition, ddoc, searchName, opts) {
       return relax({
         db: dbName,
-        path: '_partition/' + partition + '/_design/' + ddoc + '/_search/' + searchName,
+        path: '_partition/' + encodeURIComponent(partition) + '/_design/' + encodeURIComponent(ddoc) + '/_search/' + encodeURIComponent(searchName),
         qs: opts,
         stream: true
       })
@@ -1110,15 +1110,15 @@ module.exports = exports = function dbScope (cfg) {
       }
       return relax({
         db: dbName,
-        path: '_partition/' + partition + '/_design/' + ddoc + '/_view/' + viewName,
+        path: '_partition/' + encodeURIComponent(partition) + '/_design/' + encodeURIComponent(ddoc) + '/_view/' + encodeURIComponent(viewName),
         qs: opts
       }, callback)
     }
 
     function partitionedViewAsStream (partition, ddoc, viewName, opts) {
       return relax({
         db: dbName,
-        path: '_partition/' + partition + '/_design/' + ddoc + '/_view/' + viewName,
+        path: '_partition/' + encodeURIComponent(partition) + '/_design/' + encodeURIComponent(ddoc) + '/_view/' + encodeURIComponent(viewName),
         qs: opts,
         stream: true
       })