From 1ec59bbe4f070b22b73c601f6d9fb7a0d8fe088b Mon Sep 17 00:00:00 2001
From: kpacha <dlopez@krakend.io>
Date: Thu, 17 Nov 2022 17:11:30 +0100
Subject: [PATCH] reject requests with special chars in the params

Signed-off-by: kpacha <dlopez@krakend.io>
---
 router/gin/engine.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/router/gin/engine.go b/router/gin/engine.go
index 0d826859d..bef795de5 100644
--- a/router/gin/engine.go
+++ b/router/gin/engine.go
@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/textproto"
 	"net/url"
+	"strings"
 	"sync"
 	"time"
 
@@ -130,7 +131,7 @@ func paramChecker() gin.HandlerFunc {
 				c.AbortWithStatus(http.StatusBadRequest)
 				return
 			}
-			if s != param.Value {
+			if s != param.Value || strings.Contains(s, "?") || strings.Contains(s, "#") {
 				c.String(http.StatusBadRequest, "error: encoded url params")
 				c.AbortWithStatus(http.StatusBadRequest)
 				return