canonParams() is responsible for doing a x-www-form-urlencoded encoding of an object.
In addition to a series of encodeURIComponent calls, there were a few uses of .replace() being used to replace certain characters. However, .replace() with a string argument will only replace the first instance of that character. If you want to replace all characters, you must use a regexp with a global flag.
vbscott
commented
4 years ago
canonParams() is responsible for doing a x-www-form-urlencoded encoding of an object.
In addition to a series of encodeURIComponent calls, there were a few uses of .replace() being used to replace certain characters. However, .replace() with a string argument will only replace the first instance of that character. If you want to replace all characters, you must use a regexp with a global flag.
LGTM reported this https://lgtm.com/projects/g/duosecurity/duo_api_nodejs
I have added test cases to confirm the (what I assume is) incorrect behavior. I've also provided a fix.