Enum UrlStrategy 

pub enum UrlStrategy {
    PercentEncodeAggressive,
    DoublePercentEncode,
    NonCanonicalSpaces,
    Hpp,
}

Per-value mutation choice.

Variants

PercentEncodeAggressive

Percent-encode every byte that isn’t alphanumeric. Most signatures match decoded payloads but verify by raw-byte regex — this breaks both checks at once.

DoublePercentEncode

Double-percent-encode (% → %25, then percent-encode again). Bypasses URL-decode-then-match WAFs that decode exactly once.

NonCanonicalSpaces

Mix in + for spaces, 0x2F for /, etc. — non-canonical encodings that some upstream parsers normalise but signatures don’t.

Hpp

Insert empty PHP-style array brackets [] after the param name to force HTTP Parameter Pollution path.

Audit (2026-05-10): NOT YET IMPLEMENTED. apply_bytes only receives the value — the (name, value) pair lives one layer up in mutate_query_string. The current behaviour is a value pass-through, which is a stub. Selecting this strategy will log a tracing::warn but otherwise return the value unchanged so existing callers don’t break. Real HPP needs a query-level mutator that operates on the pair list — track via a dedicated query_pollute_pairs() function rather than as a UrlStrategy variant.

Implementations

impl UrlStrategy

pub fn apply(self, value: &str) -> String

Apply the strategy to a single decoded value, returning the mutated raw form (already URL-safe — caller does not re-encode).

pub fn apply_bytes(self, value: &[u8]) -> String

Byte-clean variant of Self::apply for percent-encoding strategies. Lets callers run a non-UTF-8 byte sequence (e.g. the raw bytes from a percent-decode on %FF%FE) through the pipeline without it being silently rewritten to U+FFFD by String::from_utf8_lossy. Each strategy that only operates on bytes (PercentEncodeAggressive, DoublePercentEncode) is byte-pure here. Strategies that need character semantics (NonCanonicalSpaces) lossy-convert internally.

pub fn apply_bytes_with_label(self, value: &[u8]) -> (String, &'static str)

Apply the strategy and return BOTH the encoded output AND the label that honestly describes what was done. For most strategies this is just Self::label(), but DoublePercentEncode silently downgrades to single-percent encoding above MAX_DOUBLE_ENCODE_INPUT (to avoid 9× output blowup) — pre-fix the technique log still reported url:double_percent even though only one pass ran, poisoning every WAF-decay statistic. Now the downgrade is surfaced via url:double_percent_downgraded so callers (and the gene-bank) see what actually shipped.

Audit (2026-05-10).

pub fn label(self) -> &'static str

Stable name used for technique logging.

Trait Implementations

impl Clone for UrlStrategy

fn clone(&self) -> UrlStrategy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for UrlStrategy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for UrlStrategy

fn eq(&self, other: &UrlStrategy) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Copy for UrlStrategy

impl Eq for UrlStrategy

impl StructuralPartialEq for UrlStrategy