HTTP Parameter Pollution via Unencoded JSON in EmbeddedChatApi

The `EmbeddedChatApi` class builds request URLs by directly inserting the output of `JSON.stringify()` into query parameters **without URL encoding**. This happens in the `getMessages` and `getOlderMessages` methods.

If the `query` or `field` object contains special URL characters such as `&`, `=`, or `#`, those characters are interpreted by the server as **URL delimiters**, not as part of the value. This allows extra query parameters to be injected into the request.

As a result, the API is vulnerable to **HTTP Parameter Pollution**, which can lead to incorrect request handling and potential security issues.

---

## Affected Code

**File:** `packages/api/src/EmbeddedChatApi.ts`
### Current Implementation

```ts
const query = options?.query
  ? `&query=${JSON.stringify(options.query)}`
  : "";
```

---

## Steps to Reproduce

1. Initialize `EmbeddedChatApi`.
2. Call `getMessages` with a malicious query object:

```js
api.getMessages(false, {
  query: { attack: "test&roomId=GENERAL" }
});
```

3. Inspect the network request.

### Observed URL

```
.../messages?roomId=RID&query={"attack":"test&roomId=GENERAL"}
```

### Result

The server interprets `roomId=GENERAL` as a **separate query parameter**, because the `&` inside the JSON string was not URL-encoded.

---

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HTTP Parameter Pollution via Unencoded JSON in EmbeddedChatApi #1117

Affected Code

Current Implementation

Steps to Reproduce

Observed URL

Result

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

HTTP Parameter Pollution via Unencoded JSON in EmbeddedChatApi #1117

Description

Affected Code

Current Implementation

Steps to Reproduce

Observed URL

Result

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions