From 13746c184031d9b1a67835044c023e9064e13262 Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Fri, 10 Feb 2023 12:34:19 -0500
Subject: [PATCH] PS-2450 EC-1073 Do not decode and normalize query (#4708)

Co-authored-by: Jake Fink <jfink@bitwarden.com>
---
 libs/common/src/services/api.service.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libs/common/src/services/api.service.ts b/libs/common/src/services/api.service.ts
index 26570d5303..4aceda36b5 100644
--- a/libs/common/src/services/api.service.ts
+++ b/libs/common/src/services/api.service.ts
@@ -1991,7 +1991,9 @@ export class ApiService implements ApiServiceAbstraction {
     apiUrl = Utils.isNullOrWhitespace(apiUrl) ? this.environmentService.getApiUrl() : apiUrl;
 
     // Prevent directory traversal from malicious paths
-    const requestUrl = apiUrl + Utils.normalizePath(path);
+    const pathParts = path.split("?");
+    const requestUrl =
+      apiUrl + Utils.normalizePath(pathParts[0]) + (pathParts.length > 1 ? `?${pathParts[1]}` : "");
 
     const headers = new Headers({
       "Device-Type": this.deviceType,