fix(security): escape path parameters

deno/rest/v10/mod.ts

@@ -1053,6 +1053,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const StickerPackApplicationId = '710982414301790216';
 
 export enum ImageFormat {
@@ -1350,6 +1361,17 @@ export const CDNRoutes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(CDNRoutes)) {
+	CDNRoutes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(CDNRoutes);
+
 export type DefaultUserAvatarAssets = 0 | 1 | 2 | 3 | 4 | 5;
 
 export type EmojiFormat = Exclude<ImageFormat, ImageFormat.Lottie>;

deno/rest/v6/mod.ts

@@ -519,3 +519,14 @@ export const Routes = {
 		return `/oauth2/applications/@me`;
 	},
 };
+
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);

deno/rest/v8/mod.ts

@@ -777,6 +777,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const RouteBases = {
 	api: `https://discord.com/api/v${APIVersion}`,
 	cdn: 'https://cdn.discordapp.com',

deno/rest/v9/mod.ts

@@ -1062,6 +1062,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const StickerPackApplicationId = '710982414301790216';
 
 export enum ImageFormat {
@@ -1359,6 +1370,17 @@ export const CDNRoutes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(CDNRoutes)) {
+	CDNRoutes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(CDNRoutes);
+
 export type DefaultUserAvatarAssets = 0 | 1 | 2 | 3 | 4 | 5;
 
 export type EmojiFormat = Exclude<ImageFormat, ImageFormat.Lottie>;

rest/v10/index.ts

@@ -1053,6 +1053,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const StickerPackApplicationId = '710982414301790216';
 
 export enum ImageFormat {
@@ -1350,6 +1361,17 @@ export const CDNRoutes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(CDNRoutes)) {
+	CDNRoutes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(CDNRoutes);
+
 export type DefaultUserAvatarAssets = 0 | 1 | 2 | 3 | 4 | 5;
 
 export type EmojiFormat = Exclude<ImageFormat, ImageFormat.Lottie>;

rest/v6/index.ts

@@ -519,3 +519,14 @@ export const Routes = {
 		return `/oauth2/applications/@me`;
 	},
 };
+
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);

rest/v8/index.ts

@@ -777,6 +777,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const RouteBases = {
 	api: `https://discord.com/api/v${APIVersion}`,
 	cdn: 'https://cdn.discordapp.com',

rest/v9/index.ts

@@ -1062,6 +1062,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const StickerPackApplicationId = '710982414301790216';
 
 export enum ImageFormat {
@@ -1359,6 +1370,17 @@ export const CDNRoutes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(CDNRoutes)) {
+	CDNRoutes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(CDNRoutes);
+
 export type DefaultUserAvatarAssets = 0 | 1 | 2 | 3 | 4 | 5;
 
 export type EmojiFormat = Exclude<ImageFormat, ImageFormat.Lottie>;