fix(client)!: uri encode path parameters

chore: unknown commit message

Author: stainless-bot

src/internal/utils/path.ts

@@ -0,0 +1,65 @@
+import { AnthropicError } from '../../error';
+
+/**
+ * Percent-encode everything that isn't safe to have in a path without encoding safe chars.
+ *
+ * Taken from https://datatracker.ietf.org/doc/html/rfc3986#section-3.3:
+ * > unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
+ * > sub-delims  = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
+ * > pchar       = unreserved / pct-encoded / sub-delims / ":" / "@"
+ */
+export function encodeURIPath(str: string) {
+  return str.replace(/[^A-Za-z0-9\-._~!$&'()*+,;=:@]+/g, encodeURIComponent);
+}
+
+export const createPathTagFunction = (pathEncoder = encodeURIPath) =>
+  function path(statics: readonly string[], ...params: readonly unknown[]): string {
+    // If there are no params, no processing is needed.
+    if (statics.length === 1) return statics[0]!;
+
+    let postPath = false;
+    const path = statics.reduce((previousValue, currentValue, index) => {
+      if (/[?#]/.test(currentValue)) {
+        postPath = true;
+      }
+      return (
+        previousValue +
+        currentValue +
+        (index === params.length ? '' : (postPath ? encodeURIComponent : pathEncoder)(String(params[index])))
+      );
+    }, '');
+
+    const pathOnly = path.split(/[?#]/, 1)[0]!;
+    const invalidSegments = [];
+    const invalidSegmentPattern = /(?<=^|\/)(?:\.|%2e){1,2}(?=\/|$)/gi;
+    let match;
+
+    // Find all invalid segments
+    while ((match = invalidSegmentPattern.exec(pathOnly)) !== null) {
+      invalidSegments.push({
+        start: match.index,
+        length: match[0].length,
+      });
+    }
+
+    if (invalidSegments.length > 0) {
+      let lastEnd = 0;
+      const underline = invalidSegments.reduce((acc, segment) => {
+        const spaces = ' '.repeat(segment.start - lastEnd);
+        const arrows = '^'.repeat(segment.length);
+        lastEnd = segment.start + segment.length;
+        return acc + spaces + arrows;
+      }, '');
+
+      throw new AnthropicError(
+        `Path parameters result in path with invalid segments:\n${path}\n${underline}`,
+      );
+    }
+
+    return path;
+  };
+
+/**
+ * URI-encodes path params and ensures no unsafe /./ or /../ path segments are introduced.
+ */
+export const path = createPathTagFunction(encodeURIPath);

src/resources/beta/messages/batches.ts

@@ -9,6 +9,7 @@ import { buildHeaders } from '../../../internal/headers';
 import { RequestOptions } from '../../../internal/request-options';
 import { JSONLDecoder } from '../../../internal/decoders/jsonl';
 import { AnthropicError } from '../../../error';
+import { path } from '../../../internal/utils/path';
 
 export class Batches extends APIResource {
   /**
@@ -41,7 +42,7 @@ export class Batches extends APIResource {
     options?: RequestOptions,
   ): APIPromise<BetaMessageBatch> {
     const { betas } = params ?? {};
-    return this._client.get(`/v1/messages/batches/${messageBatchID}?beta=true`, {
+    return this._client.get(path`/v1/messages/batches/${messageBatchID}?beta=true`, {
       ...options,
       headers: buildHeaders([
         { 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
@@ -81,7 +82,7 @@ export class Batches extends APIResource {
     options?: RequestOptions,
   ): APIPromise<BetaDeletedMessageBatch> {
     const { betas } = params ?? {};
-    return this._client.delete(`/v1/messages/batches/${messageBatchID}?beta=true`, {
+    return this._client.delete(path`/v1/messages/batches/${messageBatchID}?beta=true`, {
       ...options,
       headers: buildHeaders([
         { 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
@@ -107,7 +108,7 @@ export class Batches extends APIResource {
     options?: RequestOptions,
   ): APIPromise<BetaMessageBatch> {
     const { betas } = params ?? {};
-    return this._client.post(`/v1/messages/batches/${messageBatchID}/cancel?beta=true`, {
+    return this._client.post(path`/v1/messages/batches/${messageBatchID}/cancel?beta=true`, {
       ...options,
       headers: buildHeaders([
         { 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },

src/resources/beta/models.ts

@@ -4,6 +4,7 @@ import { APIResource } from '../../resource';
 import { APIPromise } from '../../api-promise';
 import { Page, type PageParams, PagePromise } from '../../pagination';
 import { RequestOptions } from '../../internal/request-options';
+import { path } from '../../internal/utils/path';
 
 export class Models extends APIResource {
   /**
@@ -13,7 +14,7 @@ export class Models extends APIResource {
    * model or resolve a model alias to a model ID.
    */
   retrieve(modelID: string, options?: RequestOptions): APIPromise<BetaModelInfo> {
-    return this._client.get(`/v1/models/${modelID}?beta=true`, options);
+    return this._client.get(path`/v1/models/${modelID}?beta=true`, options);
   }
 
   /**

src/resources/messages/batches.ts

@@ -9,6 +9,7 @@ import { buildHeaders } from '../../internal/headers';
 import { RequestOptions } from '../../internal/request-options';
 import { JSONLDecoder } from '../../internal/decoders/jsonl';
 import { AnthropicError } from '../../error';
+import { path } from '../../internal/utils/path';
 
 export class Batches extends APIResource {
   /**
@@ -28,7 +29,7 @@ export class Batches extends APIResource {
    * `results_url` field in the response.
    */
   retrieve(messageBatchID: string, options?: RequestOptions): APIPromise<MessageBatch> {
-    return this._client.get(`/v1/messages/batches/${messageBatchID}`, options);
+    return this._client.get(path`/v1/messages/batches/${messageBatchID}`, options);
   }
 
   /**
@@ -49,7 +50,7 @@ export class Batches extends APIResource {
    * like to delete an in-progress batch, you must first cancel it.
    */
   delete(messageBatchID: string, options?: RequestOptions): APIPromise<DeletedMessageBatch> {
-    return this._client.delete(`/v1/messages/batches/${messageBatchID}`, options);
+    return this._client.delete(path`/v1/messages/batches/${messageBatchID}`, options);
   }
 
   /**
@@ -64,7 +65,7 @@ export class Batches extends APIResource {
    * non-interruptible.
    */
   cancel(messageBatchID: string, options?: RequestOptions): APIPromise<MessageBatch> {
-    return this._client.post(`/v1/messages/batches/${messageBatchID}/cancel`, options);
+    return this._client.post(path`/v1/messages/batches/${messageBatchID}/cancel`, options);
   }
 
   /**
@@ -89,7 +90,6 @@ export class Batches extends APIResource {
       .get(batch.results_url, {
         ...options,
         headers: buildHeaders([{ Accept: 'application/x-jsonl' }, options?.headers]),
-
         __binaryResponse: true,
       })
       ._thenUnwrap((_, props) => JSONLDecoder.fromResponse(props.response, props.controller));

src/resources/models.ts

@@ -4,6 +4,7 @@ import { APIResource } from '../resource';
 import { APIPromise } from '../api-promise';
 import { Page, type PageParams, PagePromise } from '../pagination';
 import { RequestOptions } from '../internal/request-options';
+import { path } from '../internal/utils/path';
 
 export class Models extends APIResource {
   /**
@@ -13,7 +14,7 @@ export class Models extends APIResource {
    * model or resolve a model alias to a model ID.
    */
   retrieve(modelID: string, options?: RequestOptions): APIPromise<ModelInfo> {
-    return this._client.get(`/v1/models/${modelID}`, options);
+    return this._client.get(path`/v1/models/${modelID}`, options);
   }
 
   /**