fix(cli): safely decode keys

AndreyHirsa · AndreyHirsa · commit 3f584c365852 · 2026-02-26T14:50:05.000+03:00
diff --git a/packages/cli/src/cli/cmd/purge.ts b/packages/cli/src/cli/cmd/purge.ts
@@ -6,6 +6,7 @@ import { getBuckets } from "../utils/buckets";
 import { resolveOverriddenLocale } from "@lingo.dev/_spec";
 import createBucketLoader from "../loaders";
 import { minimatch } from "minimatch";
+import { safeDecode } from "../utils/key-matching";
 import { confirm } from "@inquirer/prompts";
 
 interface PurgeOptions {
@@ -123,10 +124,7 @@ export default new Command()
               if (options.key) {
                 // minimatch for key patterns
                 keysToRemove = Object.keys(newData).filter((k) =>
-                  minimatch(
-                    decodeURIComponent(k),
-                    decodeURIComponent(options.key!),
-                  ),
+                  minimatch(safeDecode(k), safeDecode(options.key!)),
                 );
               } else {
                 // No key specified: remove all keys
@@ -136,7 +134,7 @@ export default new Command()
                 // Show what will be deleted
                 if (options.key) {
                   bucketOra.info(
-                    `About to delete ${keysToRemove.length} key(s) matching '${decodeURIComponent(options.key)}' from ${bucketPath.pathPattern} [${targetLocale}]:\n  ${keysToRemove.slice(0, 10).join(", ")}${keysToRemove.length > 10 ? ", ..." : ""}`,
+                    `About to delete ${keysToRemove.length} key(s) matching '${safeDecode(options.key)}' from ${bucketPath.pathPattern} [${targetLocale}]:\n  ${keysToRemove.slice(0, 10).join(", ")}${keysToRemove.length > 10 ? ", ..." : ""}`,
                   );
                 } else {
                   bucketOra.info(
@@ -164,7 +162,7 @@ export default new Command()
                 await bucketLoader.push(targetLocale, newData);
                 if (options.key) {
                   bucketOra.succeed(
-                    `Removed ${keysToRemove.length} key(s) matching '${decodeURIComponent(options.key)}' from ${bucketPath.pathPattern} [${targetLocale}]`,
+                    `Removed ${keysToRemove.length} key(s) matching '${safeDecode(options.key)}' from ${bucketPath.pathPattern} [${targetLocale}]`,
                   );
                 } else {
                   bucketOra.succeed(
@@ -173,7 +171,7 @@ export default new Command()
                 }
               } else if (options.key) {
                 bucketOra.info(
-                  `No keys matching '${decodeURIComponent(options.key)}' found in ${bucketPath.pathPattern} [${targetLocale}]`,
+                  `No keys matching '${safeDecode(options.key)}' found in ${bucketPath.pathPattern} [${targetLocale}]`,
                 );
               } else {
                 bucketOra.info("No keys to remove.");
diff --git a/packages/cli/src/cli/cmd/run/execute.ts b/packages/cli/src/cli/cmd/run/execute.ts
@@ -4,6 +4,7 @@ import pLimit, { LimitFunction } from "p-limit";
 import _ from "lodash";
 import { minimatch } from "minimatch";
 
+import { safeDecode } from "../../utils/key-matching";
 import { colors } from "../../constants";
 import { CmdRunContext, CmdRunTask, CmdRunTaskResult } from "./_types";
 import { commonTaskRendererOptions } from "./_const";
@@ -231,10 +232,7 @@ function createWorkerTask(args: {
                 ([key]) =>
                   !assignedTask.onlyKeys.length ||
                   assignedTask.onlyKeys?.some((pattern) =>
-                    minimatch(
-                      decodeURIComponent(key),
-                      decodeURIComponent(pattern),
-                    ),
+                    minimatch(safeDecode(key), safeDecode(pattern)),
                   ),
               )
               .fromPairs()
diff --git a/packages/cli/src/cli/utils/key-matching.ts b/packages/cli/src/cli/utils/key-matching.ts
@@ -1,5 +1,16 @@
 import { minimatch } from "minimatch";
 
+/**
+ * Safely decodes a URI component, returning the original string if decoding fails.
+ */
+export function safeDecode(value: string): string {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+
 /**
  * Checks if a key matches any of the provided patterns using exact, separator-bounded prefix, or glob matching.
  * Separator-bounded means the key must equal the pattern exactly, or continue with a ".", "/", or "-" separator.
