[PR #5991] fix(rest): handle malformed JSON in shared URL parameters #5454

New issue

Open

opened 2026-03-17 02:53:40 +03:00 by kerem · 0 comments

kerem commented

2026-03-17 02:53:40 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5991
Author: @mahmoodhamdi
Created: 3/13/2026
Status: 🔄 Open

Base: main ← Head: fix/rest-ext-url-json-parse

📝 Commits (1)

18c877a fix(rest): handle malformed JSON in shared URL parameters

📊 Changes

1 file changed (+14 additions, -6 deletions)

View changed files

📝 packages/hoppscotch-common/src/helpers/RESTExtURLParams.ts (+14 -6)

📄 Description

Description

translateExtURLParams in RESTExtURLParams.ts calls JSON.parse() on URL parameters from shared links without any error handling. If a shared URL is truncated, corrupted, or manually edited with invalid JSON, the entire request loader crashes with an unhandled exception.

This affects both the V0 and V1 shared URL formats — headers, params, body, and bodyParams are all parsed without protection.

Changes

Added a safeJSONParse helper that wraps JSON.parse in a try-catch and returns a fallback value on failure
Replaced all 5 bare JSON.parse calls with safeJSONParse, falling back to the request's existing defaults

How to reproduce the original issue

Open Hoppscotch
Navigate to a shared URL like https://hopp.sh/r/... with a truncated or invalid headers or params query param (e.g. ?v=1&headers=%7B%22broken)
The app crashes instead of loading the request with default values

Test plan

Manually tested with valid shared URLs (no behavior change)
Tested with intentionally malformed JSON in headers/params/body query params — now gracefully loads request with defaults

Summary by cubic

Safely parse shared REST URL parameters to prevent crashes from malformed JSON. V0 and V1 URLs now fall back to request defaults when headers, params, body, or bodyParams are invalid.

Bug Fixes
- Added safeJSONParse to wrap JSON.parse with a fallback.
- Replaced five vulnerable parses in shared URL handling with safe parsing.
- Valid URLs behave the same; malformed values load with defaults.

^{Written for commit 18c877a709. Summary will update on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5991 **Author:** [@mahmoodhamdi](https://github.com/mahmoodhamdi) **Created:** 3/13/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `fix/rest-ext-url-json-parse` --- ### 📝 Commits (1) - [`18c877a`](https://github.com/hoppscotch/hoppscotch/commit/18c877a709d4ea40570b7e224857e0be9148a5ec) fix(rest): handle malformed JSON in shared URL parameters ### 📊 Changes **1 file changed** (+14 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `packages/hoppscotch-common/src/helpers/RESTExtURLParams.ts` (+14 -6) </details> ### 📄 Description ## Description `translateExtURLParams` in `RESTExtURLParams.ts` calls `JSON.parse()` on URL parameters from shared links without any error handling. If a shared URL is truncated, corrupted, or manually edited with invalid JSON, the entire request loader crashes with an unhandled exception. This affects both the V0 and V1 shared URL formats — headers, params, body, and bodyParams are all parsed without protection. ## Changes - Added a `safeJSONParse` helper that wraps `JSON.parse` in a try-catch and returns a fallback value on failure - Replaced all 5 bare `JSON.parse` calls with `safeJSONParse`, falling back to the request's existing defaults ## How to reproduce the original issue 1. Open Hoppscotch 2. Navigate to a shared URL like `https://hopp.sh/r/...` with a truncated or invalid `headers` or `params` query param (e.g. `?v=1&headers=%7B%22broken`) 3. The app crashes instead of loading the request with default values ## Test plan - Manually tested with valid shared URLs (no behavior change) - Tested with intentionally malformed JSON in headers/params/body query params — now gracefully loads request with defaults  --- ## Summary by cubic Safely parse shared REST URL parameters to prevent crashes from malformed JSON. V0 and V1 URLs now fall back to request defaults when `headers`, `params`, `body`, or `bodyParams` are invalid. - **Bug Fixes** - Added `safeJSONParse` to wrap `JSON.parse` with a fallback. - Replaced five vulnerable parses in shared URL handling with safe parsing. - Valid URLs behave the same; malformed values load with defaults. <sup>Written for commit 18c877a709d4ea40570b7e224857e0be9148a5ec. Summary will update on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>