[Bug] `validateRequest()` is not working when a query param includes a single quote (`'`)
Problem
Issue Summary The `validateRequest()` function is not working properly when a query param value includes a single quote (`'`) (and probably more special characters) This bug seems to be introduced after this commit https://github.com/twilio/twilio-node/commit/18c6d6f184552cf85c11f1098633d8228d81bb87 Why? The quote gets escaped when using `new URL()`, and the Twilio sever seems to generate the signature with an unescaped quote [code block] Steps to Reproduce 1. Setup a call with a redirect URI that has a query param with a quote in it 2. When the call is redirected to the server, the validation does not pass 3. This will also happen if `ToState`, `FromState`, or any other query param automatically added by Twilio includes a quote, and the server returns a `307 - Temporary Redirect` to a different URL, for example `Forli'` or `Trezzo Sull'Adda` Our use case 1. A caller starts a call to the state `Trezzo Sull'Adda` 2. The caller hangs up 3. We receive the hang-up command via `POST` and respond with `307 - Temporary Redirect` to `Location: https://api.example.com` 4. `api.example.com` receives the redirect with `GET` method and body as query param instead 5. `validateRequest()` now fails because of the single quote Code Snippet [code block] Exception/Log The validation returns `false` Technical details: twilio-node version: `5.4.0` * node version: `v22.11.0`
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Fix `validateRequest()` to Handle Escaped Single Quotes in Query Params
The `validateRequest()` function fails when a query parameter contains a single quote (`'`) because the quote is escaped when using `new URL()`, while Twilio generates the signature with the unescaped quote. This discrepancy causes the validation to return false.
Awaiting Verification
Be the first to verify this fix
- 1
Modify the URL Parsing Logic
Update the logic in the `validateRequest()` function to properly handle single quotes and other special characters in query parameters by decoding them before validation.
javascriptconst decodedParams = new URLSearchParams(url.search).toString(); const parsedParams = Object.fromEntries(new URLSearchParams(decodedParams)); - 2
Update Signature Generation
Ensure that the signature generation process in Twilio correctly escapes any special characters, including single quotes, to match the expected format in the `validateRequest()` function.
javascriptconst signature = generateSignature(params, secret).replace(/'/g, '%27'); - 3
Add Unit Tests for Special Characters
Create unit tests for the `validateRequest()` function to cover cases where query parameters include single quotes and other special characters. This will help ensure that future changes do not break this functionality.
javascripttest('validateRequest handles single quotes', () => { const request = createMockRequest({ query: { param: "Trezzo Sull'Adda" } }); expect(validateRequest(request)).toBe(true); }); - 4
Review and Update Documentation
Update the API documentation to reflect the changes made in handling special characters in query parameters, ensuring that developers are aware of how to properly format their requests.
Validation
To confirm the fix worked, set up a test scenario where a query parameter includes a single quote. Call the `validateRequest()` function and ensure it returns true. Additionally, run the newly created unit tests to verify that all edge cases are handled correctly.
Sign in to verify this fix
Environment
Submitted by
Alex Chen
2450 rep