[Snyk] Security upgrade postman-collection from 3.6.11 to 4.0.0 (#638)

* fix: package.json & package-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526

* Fix failing curl test

* Fix failing java-unirest and swift unit tests

---------

Co-authored-by: snyk-bot <[email protected]>
Co-authored-by: Ankit Saini <[email protected]>

Author: 3 people

codegens/curl/lib/util.js

@@ -166,7 +166,7 @@ var self = module.exports = {
       url += urlObject.getPath();
     }
     if (urlObject.query && urlObject.query.count()) {
-      let queryString = urlObject.getQueryString({ ignoreDisabled: true, encode: true });
+      let queryString = self.getQueryString(urlObject);
       queryString && (url += '?' + queryString);
     }
     if (urlObject.hash) {
@@ -176,6 +176,49 @@ var self = module.exports = {
     return self.sanitize(url, false, quoteType);
   },
 
+  /**
+   * @param {Object} urlObject
+   * @returns {String}
+   */
+  getQueryString: function (urlObject) {
+    let isFirstParam = true,
+      params = _.get(urlObject, 'query.members'),
+      result = '';
+    if (Array.isArray(params)) {
+      result = _.reduce(params, function (result, param) {
+        if (param.disabled === true) {
+          return result;
+        }
+
+        if (isFirstParam) {
+          isFirstParam = false;
+        }
+        else {
+          result += '&';
+        }
+
+        return result + self.encodeParam(param.key) + '=' + self.encodeParam(param.value);
+      }, result);
+    }
+
+    return result;
+  },
+
+  /**
+   * Encode param except the following characters- [,{,},]
+   *
+   * @param {String} param
+   * @returns {String}
+   */
+  encodeParam: function (param) {
+    return encodeURIComponent(param)
+      .replace(/%5B/g, '[')
+      .replace(/%7B/g, '{')
+      .replace(/%5D/g, ']')
+      .replace(/%7D/g, '}')
+      .replace(/'/g, '%27');
+  },
+
   /**
  *
  * @param {Array} array - form data array

codegens/java-unirest/lib/parseRequest.js

@@ -2,6 +2,49 @@ var _ = require('./lodash'),
 
   sanitize = require('./util').sanitize;
 
+/**
+ * Encode param except the following characters- [,{,},]
+ *
+ * @param {String} param
+ * @returns {String}
+ */
+function encodeParam (param) {
+  return encodeURIComponent(param)
+    .replace(/%5B/g, '[')
+    .replace(/%7B/g, '{')
+    .replace(/%5D/g, ']')
+    .replace(/%7D/g, '}')
+    .replace(/'/g, '%27');
+}
+
+/**
+ * @param {Object} urlObject
+ * @returns {String}
+ */
+function getQueryString (urlObject) {
+  let isFirstParam = true,
+    params = _.get(urlObject, 'query.members'),
+    result = '';
+  if (Array.isArray(params)) {
+    result = _.reduce(params, function (result, param) {
+      if (param.disabled === true) {
+        return result;
+      }
+
+      if (isFirstParam) {
+        isFirstParam = false;
+      }
+      else {
+        result += '&';
+      }
+
+      return result + encodeParam(param.key) + '=' + encodeParam(param.value);
+    }, result);
+  }
+
+  return result;
+}
+
 /**
  *
  * @param {*} urlObject The request sdk request.url object
@@ -33,7 +76,7 @@ function getUrlStringfromUrlObject (urlObject) {
     url += urlObject.getPath();
   }
   if (urlObject.query && urlObject.query.count()) {
-    let queryString = urlObject.getQueryString({ ignoreDisabled: true, encode: true });
+    let queryString = getQueryString(urlObject);
     queryString && (url += '?' + queryString);
   }
   if (urlObject.hash) {