#21 (comment)

IIUC, there's a risk that this will mis-parse paths that happen to use & in the resource component, such as:

https://example.com/this&that&bewit=true

Such paths seem vanishingly unlikely in practice, but I don't think anything outright prevents them, and I can imagine them being constructed maliciously to try to trick the application's validation logic. It may be worth splitting first on the ? and then on the &, just in case.