Aliases should implement an explicit acceptable characters policy
mwvaughn opened this issue · comments
As I work on a rolling out aliases support in my tenant, I tried creating some with a few different naming conventions. I found it was possible to create aliases, and thus theoretically resolvable URLs, using characters that according to RFC3986 are disallowed in URLs.
Examples include:
data-copier
data-copier:staging
data/copier
data.copier
Here's a test that creates aliases using the general delimiters from the URL spec:
TOKEN=28e8ecd7fa027ebd383508c536163
ACTOR_ID=gO0JeWaBM4p3J
ALIAS_NAME="rfc3986"
ALIAS_TAG="master"
GEN_DELIMS=('rfc3986:master' 'rfc3986/master' 'rfc3986?master' 'rfc3986#master' 'rfc3986[master' 'rfc3986]master' 'rfc3986@master')
for ALIAS in ${GEN_DELIMS[@]}
do
echo $ALIAS
curl -sk -H "Authorization: Bearer $TOKEN" -XPOST -d "actorId=${ACTOR_ID}&alias=${ALIAS}" https://api.sd2e.org/actors/v2/aliases
done
Every one of the examples gave me a success message Actor alias created successfully
. They were not all resolvable. Doing curl -sk -H "Authorization: Bearer $TOKEN" -XGET https://api.sd2e.org/actors/v2/${ALIAS}
on them yielded:
rfc3986:master
: 200rfc3986/master
: Stack tracerfs3986?master
: 404rfc3986#master
: 404rfc3986[master
: No responserfc3986]master
: No responserfc3986@master
: 200
To be safe, we can either force urlencoding on aliases or restrict use of reserved characters in them. There's precedent and utility in either decision, but the service does need to have an opinion on the matter, which I don't think it does.
good catch! absolutely we need to fix this. i lean towards rejecting the alias creation if it does not meet the requirements instead of encoding it.
Resolved in PR #73.
thanks for just grabbing this and going with it -- really great work!
what you did was exactly right. i noticed that there is a small issue with using "." characters (unrelated to you code change): when trying to create an alias with a period, the service appears to create it correctly but returns an error response like this:
"message": "Unrecognized exception type: <class 'pymongo.errors.WriteError'>. Exception: The dotted field 'DEV_fooz.baz' in 'DEV_fooz.baz' is not valid for storage.",
I am going to merge your changes since they are a substantial improvement over the current version, but we should probably open a separate issue for the "." character.
looks to be a restriction in names of keys for mongo:
https://docs.mongodb.com/manual/reference/limits/#naming-restrictions
https://stackoverflow.com/questions/30014243/mongoerror-the-dotted-field-is-not-valid-for-storage
upgrading our version may be needed to solve it.
@NotChristianGarcia's patch was deployed to the SD2E instance today. I am closing this issue and will open another one for the "." character issue.