http_interceptor/lib/utils/query_parameters.dart at 17220a3871d10fee1a0e333a3aa1e9e7b5e9df9f · CodingAleCR/http_interceptor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
/// Takes a string and appends [parameters] as query parameters of [url].
///
/// It validates the URL structure and properly encodes both keys and values
/// to prevent URL injection attacks.
String buildUrlString(String url, Map<String, dynamic>? parameters) {
  // Avoids unnecessary processing.
  if (parameters == null) return url;

  // Check if there are parameters to add.
  if (parameters.isNotEmpty) {
    // Validate URL structure to prevent injection
    // First check if it looks like a valid HTTP/HTTPS URL
    if (!url.startsWith('http://') && !url.startsWith('https://')) {
      throw ArgumentError(
        'Invalid URL structure: $url - must be a valid HTTP/HTTPS URL',
      );
    }

    try {
      final uri = Uri.parse(url);
      // Additional validation: ensure it has a host
      if (uri.host.isEmpty) {
        throw ArgumentError(
          'Invalid URL structure: $url - must have a valid host',
        );
      }
    } catch (e) {
      if (e is ArgumentError) {
        rethrow;
      }
      throw ArgumentError('Invalid URL structure: $url');
    }

    // Checks if the string url already has parameters.
    if (url.contains("?")) {
      url += "&";
    } else {
      url += "?";
    }

    // Concat every parameter to the string url with proper encoding
    parameters.forEach((key, value) {
      // Encode the key to prevent injection
      final encodedKey = Uri.encodeQueryComponent(key);

      if (value is List) {
        if (value is List<String>) {
          for (String singleValue in value) {
            url += "$encodedKey=${Uri.encodeQueryComponent(singleValue)}&";
          }
        } else {
          for (dynamic singleValue in value) {
            url +=
                "$encodedKey=${Uri.encodeQueryComponent(singleValue.toString())}&";
          }
        }
      } else if (value is String) {
        url += "$encodedKey=${Uri.encodeQueryComponent(value)}&";
      } else {
        url += "$encodedKey=${Uri.encodeQueryComponent(value.toString())}&";
      }
    });

    // Remove last '&' character.
    url = url.substring(0, url.length - 1);
  }

  return url;
}