fix: URL-encode special characters in connection string passwords

[VJ-yadav]

Summary

Fixes #589 — stored passwords with special characters (@, #, :, /, etc.) cause cryptic authentication failures when used in URI-style connection strings.

• Root cause: sanitizeConnectionString() existed in normalize.ts but was never called — connection strings with unencoded passwords were passed directly to drivers
• Regex bug: The userinfo regex split on the first @ instead of the last, so passwords containing @ were silently mis-parsed (the function returned early thinking no encoding was needed)
• Fix: Wire sanitizeConnectionString() into normalizeConfig() so every driver that accepts a connection_string benefits automatically, and fix the regex to use greedy matching for the userinfo portion

Drivers using individual config fields (host, user, password as separate values) are unaffected — native driver libraries handle raw passwords correctly without URI encoding.

Test Plan

• Added 16 new test cases covering sanitizeConnectionString directly and normalizeConfig integration
• Passwords with @, #, : are correctly percent-encoded
• Already-encoded passwords (%40, %23) are left untouched
• Passwords without special characters pass through unchanged
• Non-URI connection strings (e.g. Oracle TNS, key=value) pass through unchanged
• mongodb://, mongodb+srv://, postgresql:// schemes all handled
• Config without connection_string (individual fields) is not altered
• connectionString alias resolves to connection_string before sanitization
• All 121 existing + new tests pass

Checklist

• Minimal, focused change — no unrelated modifications
• All existing tests continue to pass (121/121)
• Pre-existing tsgo error on @clickhouse/client import is unrelated (reproduces on main)

Summary by CodeRabbit

Release Notes

• New Features
  • Connection strings with special characters in passwords (such as @, #, :) are now automatically encoded and properly handled during configuration normalization.

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[github-actions]

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

• PR description is missing required template sections. Please use the PR template.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

[coderabbitai]

Warning

Rate limit exceeded

@VJ-yadav has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 8 minutes and 53 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 8 minutes and 53 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b946e9d9-a1b0-441d-8d03-8612dd4c0fe5

📥 Commits

Reviewing files that changed from the base of the PR and between 93db0f4 and ea99829.

📒 Files selected for processing (3)

• packages/drivers/src/index.ts
• packages/drivers/src/normalize.ts
• packages/opencode/test/altimate/driver-normalize.test.ts

📝 Walkthrough

Walkthrough

Added a new sanitizeConnectionString function to detect and re-encode special characters in URI-style connection string passwords. Integrated sanitization into normalizeConfig to automatically handle passwords with special characters. Extended public exports and added comprehensive test coverage.

Changes

Cohort / File(s)	Summary
Driver Core packages/drivers/src/normalize.ts, packages/drivers/src/index.ts	Added sanitizeConnectionString export and function to detect URI schemes with embedded userinfo and re-encode unencoded special characters in password segments. Integrated sanitization into normalizeConfig to apply preprocessing to connection strings.
Test Suite packages/opencode/test/altimate/driver-normalize.test.ts	Added comprehensive test suite for sanitizeConnectionString covering URI-encoded password detection, special character handling (@, #, :), multiple schemes (including MongoDB variants), and edge cases. Added integration tests verifying normalizeConfig properly sanitizes connection strings.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A password with @ and # signs so bright,
Now safely encoded, escaping just right!
URI strings dance through our normalize flow,
Special characters sanitized—smooth as a doe. 🌿✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: fixing URL-encoding of special characters in connection string passwords, which directly addresses issue #589.
Linked Issues check	✅ Passed	The PR directly addresses issue #589 by implementing sanitizeConnectionString integration to handle stored passwords with special characters (@, #, :) in URI-style connection strings, preventing authentication failures.
Out of Scope Changes check	✅ Passed	All changes are focused and within scope: adding sanitizeConnectionString export, implementing the function with regex fix, integrating it into normalizeConfig, and adding comprehensive tests. No unrelated modifications detected.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description check	✅ Passed	The PR description covers all required sections: Summary, Test Plan, and Checklist. It provides clear context on the issue, root cause, fix, and testing coverage.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
-	-	Generic Password	d4a35d0	packages/opencode/test/altimate/driver-normalize.test.ts	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[coderabbitai]

🧹 Nitpick comments (2)

packages/drivers/src/normalize.ts (1)

161-163: Potential URIError if username contains malformed percent sequences.

decodeURIComponent(user) will throw a URIError if the username contains malformed percent-encoded sequences (e.g., user%GGname). While rare, this could cause unexpected failures.

Consider wrapping in try-catch or skipping the decode/re-encode cycle for the username when it doesn't contain %:

🛡️ Proposed defensive fix

-  // Re-encode both user and password to be safe
-  const encodedUser = encodeURIComponent(decodeURIComponent(user))
+  // Re-encode both user and password to be safe.
+  // If user contains %, attempt decode; otherwise encode directly.
+  let encodedUser: string
+  try {
+    encodedUser = encodeURIComponent(decodeURIComponent(user))
+  } catch {
+    // Malformed percent sequence — encode as-is
+    encodedUser = encodeURIComponent(user)
+  }
   const encodedPassword = encodeURIComponent(password)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/drivers/src/normalize.ts` around lines 161 - 163, The
decode/re-encode of the username using decodeURIComponent(user) can throw a
URIError for malformed percent sequences; update the logic around encodedUser
(where decodeURIComponent(user) and encodeURIComponent are used) to first check
if user contains '%' and only perform decode/encode when safe, or wrap
decodeURIComponent(user) in a try-catch and fall back to using the original user
string if decoding fails, ensuring encodedUser is always set to a valid
encodeURIComponent value without throwing.

packages/opencode/test/altimate/driver-normalize.test.ts (1)

974-978: Consider adding test coverage for / and ? in passwords.

The PR objectives mention handling / as a special character, and the implementation's regex also includes ?. Adding explicit tests would strengthen coverage:

📝 Suggested additional tests

test("encodes / in password", () => {
  const input = "postgresql://admin:pass/word@localhost/db"
  const result = sanitizeConnectionString(input)
  expect(result).toBe("postgresql://admin:pass%2Fword@localhost/db")
})

test("encodes ? in password", () => {
  const input = "postgresql://admin:pass?word@localhost/db"
  const result = sanitizeConnectionString(input)
  expect(result).toBe("postgresql://admin:pass%3Fword@localhost/db")
})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/opencode/test/altimate/driver-normalize.test.ts` around lines 974 -
978, Add two unit tests to the existing "encodes multiple special characters"
suite that verify sanitizeConnectionString correctly percent-encodes '/' and '?'
inside the password portion: create one test using input
"postgresql://admin:pass/word@localhost/db" expecting
"postgresql://admin:pass%2Fword@localhost/db" and another using
"postgresql://admin:pass?word@localhost/db" expecting
"postgresql://admin:pass%3Fword@localhost/db"; place these tests alongside the
existing tests in driver-normalize.test.ts to ensure sanitizeConnectionString
handles both characters.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/drivers/src/normalize.ts`:
- Around line 161-163: The decode/re-encode of the username using
decodeURIComponent(user) can throw a URIError for malformed percent sequences;
update the logic around encodedUser (where decodeURIComponent(user) and
encodeURIComponent are used) to first check if user contains '%' and only
perform decode/encode when safe, or wrap decodeURIComponent(user) in a try-catch
and fall back to using the original user string if decoding fails, ensuring
encodedUser is always set to a valid encodeURIComponent value without throwing.

In `@packages/opencode/test/altimate/driver-normalize.test.ts`:
- Around line 974-978: Add two unit tests to the existing "encodes multiple
special characters" suite that verify sanitizeConnectionString correctly
percent-encodes '/' and '?' inside the password portion: create one test using
input "postgresql://admin:pass/word@localhost/db" expecting
"postgresql://admin:pass%2Fword@localhost/db" and another using
"postgresql://admin:pass?word@localhost/db" expecting
"postgresql://admin:pass%3Fword@localhost/db"; place these tests alongside the
existing tests in driver-normalize.test.ts to ensure sanitizeConnectionString
handles both characters.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 44b3dc65-0c0f-455e-ab26-0eacd895c951

📥 Commits

Reviewing files that changed from the base of the PR and between 99270e5 and 93db0f4.

📒 Files selected for processing (3)

• packages/drivers/src/index.ts
• packages/drivers/src/normalize.ts
• packages/opencode/test/altimate/driver-normalize.test.ts