Aliases should implement an explicit acceptable characters policy

Question

Aliases should implement an explicit acceptable characters policy

mwvaughn opened this issue 6 years ago · comments

As I work on a rolling out aliases support in my tenant, I tried creating some with a few different naming conventions. I found it was possible to create aliases, and thus theoretically resolvable URLs, using characters that according to RFC3986 are disallowed in URLs.

Examples include:

data-copier
data-copier:staging
data/copier
data.copier

Here's a test that creates aliases using the general delimiters from the URL spec:

TOKEN=28e8ecd7fa027ebd383508c536163
ACTOR_ID=gO0JeWaBM4p3J
ALIAS_NAME="rfc3986"
ALIAS_TAG="master"
GEN_DELIMS=('rfc3986:master' 'rfc3986/master' 'rfc3986?master' 'rfc3986#master' 'rfc3986[master' 'rfc3986]master' 'rfc3986@master')
for ALIAS in ${GEN_DELIMS[@]}
do
  echo $ALIAS
  curl -sk -H "Authorization: Bearer $TOKEN" -XPOST -d "actorId=${ACTOR_ID}&alias=${ALIAS}" https://api.sd2e.org/actors/v2/aliases
done

Every one of the examples gave me a success message Actor alias created successfully. They were not all resolvable. Doing curl -sk -H "Authorization: Bearer $TOKEN" -XGET https://api.sd2e.org/actors/v2/${ALIAS} on them yielded:

rfc3986:master: 200
rfc3986/master: Stack trace
rfs3986?master: 404
rfc3986#master: 404
rfc3986[master: No response
rfc3986]master: No response
rfc3986@master: 200

To be safe, we can either force urlencoding on aliases or restrict use of reserved characters in them. There's precedent and utility in either decision, but the service does need to have an opinion on the matter, which I don't think it does.

Joe Stubbs · Answer 1 · Wed Mar 06 2019 07:24:44 GMT+0800 (China Standard Time)

good catch! absolutely we need to fix this. i lean towards rejecting the alias creation if it does not meet the requirements instead of encoding it.

Christian Garcia · Answer 2 · Fri Mar 15 2019 06:31:14 GMT+0800 (China Standard Time)

Resolved in PR #73.

Joe Stubbs · Answer 3 · Tue Mar 19 2019 05:23:18 GMT+0800 (China Standard Time)

thanks for just grabbing this and going with it -- really great work!

what you did was exactly right. i noticed that there is a small issue with using "." characters (unrelated to you code change): when trying to create an alias with a period, the service appears to create it correctly but returns an error response like this:

"message": "Unrecognized exception type: <class 'pymongo.errors.WriteError'>. Exception: The dotted field 'DEV_fooz.baz' in 'DEV_fooz.baz' is not valid for storage.",

I am going to merge your changes since they are a substantial improvement over the current version, but we should probably open a separate issue for the "." character.

Joe Stubbs · Answer 4 · Tue Mar 19 2019 05:29:47 GMT+0800 (China Standard Time)

looks to be a restriction in names of keys for mongo:
https://docs.mongodb.com/manual/reference/limits/#naming-restrictions
https://stackoverflow.com/questions/30014243/mongoerror-the-dotted-field-is-not-valid-for-storage

upgrading our version may be needed to solve it.

Joe Stubbs · Answer 5 · Wed Mar 20 2019 09:39:59 GMT+0800 (China Standard Time)

@NotChristianGarcia's patch was deployed to the SD2E instance today. I am closing this issue and will open another one for the "." character issue.