Merge commit from fork

Stop using url.Parse for request-target paths. It interprets "//" as
an RFC 3986 authority delimiter, so "//admin/people" silently drops
"admin" from parsed_path, bypassing policies that check path segments.

Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Co-authored-by: Ville Vesilehto <ville@vesilehto.fi>

Author: johanfylling

envoyauth/request.go

@@ -112,14 +112,19 @@ func RequestToInput(req any, logger logging.Logger, protoSet *protoregistry.File
 }
 
 func getParsedPathAndQuery(path string) ([]string, map[string]any, error) {
-	parsedURL, err := url.Parse(path)
+	rawPath, rawQuery, _ := strings.Cut(path, "?")
+
+	decodedPath, err := url.PathUnescape(rawPath)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	parsedPath := strings.Split(strings.TrimLeft(parsedURL.Path, "/"), "/")
+	parsedPath := strings.Split(strings.TrimLeft(decodedPath, "/"), "/")
 
-	query := parsedURL.Query()
+	query, err := url.ParseQuery(rawQuery)
+	if err != nil {
+		return nil, nil, err
+	}
 	parsedQueryInterface := make(map[string]any, len(query))
 	for paramKey, paramValues := range query {
 		parsedQueryInterface[paramKey] = paramValues

envoyauth/request_test.go

@@ -651,6 +651,21 @@ func TestParsedPathAndQuery(t *testing.T) {
 			[]string{"my", "test", "path"},
 			map[string]any{"a": []string{"1", "new\nline"}},
 		},
+		{
+			createExtReqWithPath("//x/people"),
+			[]string{"x", "people"},
+			map[string]any{},
+		},
+		{
+			createExtReqWithPath("//admin/dashboard"),
+			[]string{"admin", "dashboard"},
+			map[string]any{},
+		},
+		{
+			createExtReqWithPath("//x/people?a=1"),
+			[]string{"x", "people"},
+			map[string]any{"a": []string{"1"}},
+		},
 	}
 
 	for _, tt := range tests {