Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: decode percent-encoded password in parseRedisUrl#1952

Open
heavenly999 wants to merge 1 commit intodocmost:mainfrom
SYMAR-AI:fix/redis-url-password-decode
Open

fix: decode percent-encoded password in parseRedisUrl#1952
heavenly999 wants to merge 1 commit intodocmost:mainfrom
SYMAR-AI:fix/redis-url-password-decode

Conversation

@heavenly999
Copy link

@heavenly999 heavenly999 commented Feb 17, 2026

Problem

parseRedisUrl() returns the password from new URL().password without decoding it. The WHATWG URL spec mandates that = is percent-encoded as %3D in the userinfo section.

Cloud Redis providers (Azure Managed Redis, AWS ElastiCache, etc.) use base64 access keys that end with =. When these keys are placed in a redis:// URL, the parser encodes them:

redis://:aBjR684eranIt5Ch13YS7aoUFioc4N5CpAzCaJdAF4g=@host:6379
                                                     ^
                                          URL parser encodes this to %3D

url.password then returns ...4N5CpAzCaJdAF4g%3D, which ioredis sends verbatim to Redis AUTHWRONGPASS.

Verified in Node.js:

const u = new URL('redis://:key=@host:6379');
u.password // => 'key%3D'  (not 'key=')

Fix

Add decodeURIComponent() to the parsed password before returning RedisConfig. This is safe for passwords that don't contain percent-encoded characters (decoding a string without %XX sequences is a no-op).

Testing

Tested against Azure Managed Redis with a base64 access key ending in =. Before fix: WRONGPASS. After fix: connects successfully.

@CLAassistant
Copy link

CLAassistant commented Feb 17, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@technagy
fix: decode percent-encoded password in parseRedisUrl
8ce5b2a 
The WHATWG URL parser percent-encodes '=' as '%3D' in the userinfo
section of URLs. Cloud Redis providers like Azure and AWS use base64
access keys that contain '='. Without decoding, ioredis sends the
percent-encoded password to Redis AUTH, which rejects it with
WRONGPASS.

This adds decodeURIComponent() to the parsed password before
returning the RedisConfig.
@heavenly999 heavenly999 force-pushed the fix/redis-url-password-decode branch from 747cab9 to 8ce5b2a Compare February 17, 2026 07:55
@Philipinho
Copy link
Member

Philipinho commented Feb 20, 2026

If you don't mind, can you finish the CLA step so I can review?

@heavenly999
Copy link
Author

heavenly999 commented Feb 22, 2026

@Philipinho hey, yes, I did that already but nothing happened. I clicked on the link, logged in with my Github account, redirected back to Github, but the badge didn't change. Tried the recheck button as well.

Page says I agreed already:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@heavenly999 @CLAassistant @Philipinho @technagy