From 1ba34729386c9b9dece237e761114f6d1ef11143 Mon Sep 17 00:00:00 2001
From: Vlad Frangu <me@vladfrangu.dev>
Date: Thu, 21 Nov 2024 22:40:24 +0200
Subject: [PATCH] fix(security): escape path parameters

---
 deno/rest/v10/mod.ts | 22 ++++++++++++++++++++++
 deno/rest/v6/mod.ts  | 11 +++++++++++
 deno/rest/v8/mod.ts  | 11 +++++++++++
 deno/rest/v9/mod.ts  | 22 ++++++++++++++++++++++
 rest/v10/index.ts    | 22 ++++++++++++++++++++++
 rest/v6/index.ts     | 11 +++++++++++
 rest/v8/index.ts     | 11 +++++++++++
 rest/v9/index.ts     | 22 ++++++++++++++++++++++
 8 files changed, 132 insertions(+)

diff --git a/deno/rest/v10/mod.ts b/deno/rest/v10/mod.ts
index aaebaba6b..61de424fb 100644
--- a/deno/rest/v10/mod.ts
+++ b/deno/rest/v10/mod.ts
@@ -1053,6 +1053,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const StickerPackApplicationId = '710982414301790216';
 
 export enum ImageFormat {
@@ -1350,6 +1361,17 @@ export const CDNRoutes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(CDNRoutes)) {
+	CDNRoutes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(CDNRoutes);
+
 export type DefaultUserAvatarAssets = 0 | 1 | 2 | 3 | 4 | 5;
 
 export type EmojiFormat = Exclude<ImageFormat, ImageFormat.Lottie>;
diff --git a/deno/rest/v6/mod.ts b/deno/rest/v6/mod.ts
index 3399b104b..7b2af6795 100644
--- a/deno/rest/v6/mod.ts
+++ b/deno/rest/v6/mod.ts
@@ -519,3 +519,14 @@ export const Routes = {
 		return `/oauth2/applications/@me`;
 	},
 };
+
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
diff --git a/deno/rest/v8/mod.ts b/deno/rest/v8/mod.ts
index dfe4070e8..2589416d0 100644
--- a/deno/rest/v8/mod.ts
+++ b/deno/rest/v8/mod.ts
@@ -777,6 +777,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const RouteBases = {
 	api: `https://discord.com/api/v${APIVersion}`,
 	cdn: 'https://cdn.discordapp.com',
diff --git a/deno/rest/v9/mod.ts b/deno/rest/v9/mod.ts
index 426084a4f..419307af8 100644
--- a/deno/rest/v9/mod.ts
+++ b/deno/rest/v9/mod.ts
@@ -1062,6 +1062,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const StickerPackApplicationId = '710982414301790216';
 
 export enum ImageFormat {
@@ -1359,6 +1370,17 @@ export const CDNRoutes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(CDNRoutes)) {
+	CDNRoutes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(CDNRoutes);
+
 export type DefaultUserAvatarAssets = 0 | 1 | 2 | 3 | 4 | 5;
 
 export type EmojiFormat = Exclude<ImageFormat, ImageFormat.Lottie>;
diff --git a/rest/v10/index.ts b/rest/v10/index.ts
index 80f00814e..06ce6328c 100644
--- a/rest/v10/index.ts
+++ b/rest/v10/index.ts
@@ -1053,6 +1053,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const StickerPackApplicationId = '710982414301790216';
 
 export enum ImageFormat {
@@ -1350,6 +1361,17 @@ export const CDNRoutes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(CDNRoutes)) {
+	CDNRoutes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(CDNRoutes);
+
 export type DefaultUserAvatarAssets = 0 | 1 | 2 | 3 | 4 | 5;
 
 export type EmojiFormat = Exclude<ImageFormat, ImageFormat.Lottie>;
diff --git a/rest/v6/index.ts b/rest/v6/index.ts
index cdd4a5803..0d2391c50 100644
--- a/rest/v6/index.ts
+++ b/rest/v6/index.ts
@@ -519,3 +519,14 @@ export const Routes = {
 		return `/oauth2/applications/@me`;
 	},
 };
+
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
diff --git a/rest/v8/index.ts b/rest/v8/index.ts
index 693a4a01d..8ff5a35b1 100644
--- a/rest/v8/index.ts
+++ b/rest/v8/index.ts
@@ -777,6 +777,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const RouteBases = {
 	api: `https://discord.com/api/v${APIVersion}`,
 	cdn: 'https://cdn.discordapp.com',
diff --git a/rest/v9/index.ts b/rest/v9/index.ts
index 53727f2fa..b5376cf2d 100644
--- a/rest/v9/index.ts
+++ b/rest/v9/index.ts
@@ -1062,6 +1062,17 @@ export const Routes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(Routes)) {
+	Routes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(Routes);
+
 export const StickerPackApplicationId = '710982414301790216';
 
 export enum ImageFormat {
@@ -1359,6 +1370,17 @@ export const CDNRoutes = {
 	},
 };
 
+for (const [key, fn] of Object.entries(CDNRoutes)) {
+	CDNRoutes[key] = (...args: string[]) => {
+		const escaped = args.map((arg) => encodeURIComponent(arg));
+		// eslint-disable-next-line no-useless-call
+		return fn.call(null, ...escaped);
+	};
+}
+
+// Freeze the object so it can't be changed
+Object.freeze(CDNRoutes);
+
 export type DefaultUserAvatarAssets = 0 | 1 | 2 | 3 | 4 | 5;
 
 export type EmojiFormat = Exclude<ImageFormat, ImageFormat.Lottie>;