fix: unescape URL-encoded path params before OpenAPI validation (#43)

mromaszewicz · florentchauveau · claude · web-flow · commit b5a3ecea33ad · 2026-02-07T10:24:09.000-08:00
gorillamux uses UseEncodedPath(), so FindRoute() returns path parameters in percent-encoded form. openapi3filter expects decoded values, which causes validation of constraints like maxLength and pattern to fail on encoded input (e.g. %2B is 3 chars but decodes to 1 char). Unescape path parameters after route matching and before passing them to openapi3filter. Fixes #17 Supersedes #18 Co-authored-by: Florent CHAUVEAU <florentch@pm.me> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/oapi_validate.go b/oapi_validate.go
@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 
@@ -158,6 +159,15 @@ func ValidateRequestFromContext(ctx echo.Context, router routers.Router, options
 		}
 	}
 
+	// gorillamux uses UseEncodedPath(), so path parameters are returned in
+	// their percent-encoded form. Unescape them before passing to
+	// openapi3filter, which expects decoded values.
+	for k, v := range pathParams {
+		if unescaped, err := url.PathUnescape(v); err == nil {
+			pathParams[k] = unescaped
+		}
+	}
+
 	validationInput := &openapi3filter.RequestValidationInput{
 		Request:    req,
 		PathParams: pathParams,
diff --git a/oapi_validate_test.go b/oapi_validate_test.go
@@ -485,6 +485,86 @@ func TestOapiRequestValidatorWithPrefix(t *testing.T) {
 	}
 }
 
+func TestEncodedPathParams(t *testing.T) {
+	spec, err := openapi3.NewLoader().LoadFromData(testSchema)
+	require.NoError(t, err, "Error initializing OpenAPI spec")
+
+	e := echo.New()
+
+	options := Options{
+		SilenceServersWarning: true,
+	}
+
+	e.Use(OapiRequestValidatorWithOptions(spec, &options))
+
+	called := false
+
+	// Register handlers for parameterized paths. These must be registered
+	// before any requests are made so echo allocates enough param slots.
+	e.GET("/resource/maxlength/:param", func(c echo.Context) error {
+		called = true
+		return c.NoContent(http.StatusNoContent)
+	})
+	e.GET("/resource/pattern/:param", func(c echo.Context) error {
+		called = true
+		return c.NoContent(http.StatusNoContent)
+	})
+
+	// Encoded "+" (%2B) — 3 chars encoded, but 1 char decoded.
+	// maxLength: 1 should pass because validation uses the decoded value.
+	{
+		rec := doGet(t, e, "http://test.hostname/resource/maxlength/%2B")
+		assert.Equal(t, http.StatusNoContent, rec.Code)
+		assert.True(t, called, "Handler should have been called")
+		called = false
+	}
+
+	// Unencoded "+" in the same path — should also pass.
+	{
+		rec := doGet(t, e, "http://test.hostname/resource/maxlength/+")
+		assert.Equal(t, http.StatusNoContent, rec.Code)
+		assert.True(t, called, "Handler should have been called")
+		called = false
+	}
+
+	// Two-char unencoded value exceeds maxLength: 1 — should be rejected.
+	{
+		rec := doGet(t, e, "http://test.hostname/resource/maxlength/ab")
+		assert.Equal(t, http.StatusBadRequest, rec.Code)
+		assert.False(t, called, "Handler should not have been called")
+	}
+
+	// Encoded value that decodes to two chars (%2B%2B -> "++") — should be rejected.
+	{
+		rec := doGet(t, e, "http://test.hostname/resource/maxlength/%2B%2B")
+		assert.Equal(t, http.StatusBadRequest, rec.Code)
+		assert.False(t, called, "Handler should not have been called")
+	}
+
+	// Pattern: ^\+[0-9]+$ — encoded "+1234" as "%2B1234" should pass.
+	{
+		rec := doGet(t, e, "http://test.hostname/resource/pattern/%2B1234")
+		assert.Equal(t, http.StatusNoContent, rec.Code)
+		assert.True(t, called, "Handler should have been called")
+		called = false
+	}
+
+	// Unencoded "+1234" should also pass.
+	{
+		rec := doGet(t, e, "http://test.hostname/resource/pattern/+1234")
+		assert.Equal(t, http.StatusNoContent, rec.Code)
+		assert.True(t, called, "Handler should have been called")
+		called = false
+	}
+
+	// Value that doesn't match pattern — should be rejected.
+	{
+		rec := doGet(t, e, "http://test.hostname/resource/pattern/nope")
+		assert.Equal(t, http.StatusBadRequest, rec.Code)
+		assert.False(t, called, "Handler should not have been called")
+	}
+}
+
 func TestGetSkipperFromOptions(t *testing.T) {
 
 	options := new(Options)
diff --git a/test_spec.yaml b/test_spec.yaml
@@ -39,6 +39,32 @@ paths:
               properties:
                 name:
                   type: string
+  /resource/maxlength/{param}:
+    get:
+      operationId: getMaxLengthResourceParameter
+      parameters:
+        - name: param
+          in: path
+          required: true
+          schema:
+            type: string
+            maxLength: 1
+      responses:
+        '204':
+          description: success
+  /resource/pattern/{param}:
+    get:
+      operationId: getPatternResourceParameter
+      parameters:
+        - name: param
+          in: path
+          required: true
+          schema:
+            type: string
+            pattern: '^\+[0-9]+$'
+      responses:
+        '204':
+          description: success
   /protected_resource:
     get:
       operationId: getProtectedResource
