Handle encoding characters like `%^{}\|; for query parameters in HttpRoutes

Question

Handle encoding characters like `%^{}\|; for query parameters in HttpRoutes

bsenyshyn opened this issue 3 years ago · comments

Description:

If we have to create route with some parameters, like:

case GET -> Root / "data" :? CodeQueryParam(code) +& ShowCurrentDataQueryParam(showCurrentData)

object ShowCurrentDataQueryParam extends OptionalQueryParamDecoderMatcher[Boolean]("showCurrentData")

object CodeQueryParam extends QueryParamDecoderMatcher[String]("code")

And call API with:
http://localhost:8888/data?code=%&showCurrentData=true
or
http://localhost:8888/data?code=111111&showCurrentData=^

We receive 400 Bad Request with no message.

Expected result:
Handle this characters properly or receive corresponding message

Actual result:
400 Bad Request with no message

Version: 1.0.0-M5

Ross A. Baker · Answer 1 · Wed Dec 30 2020 01:29:01 GMT+0800 (China Standard Time)

Perhaps the decoder could be relaxed, but that's an invalid query string. The % is a reserved character for percent encoding, and is supposed to be followed by two hex digits. %25, if you want to represent a literal %.

Is this client something you have control over, or do you have to support the invalid encoding?

Bohdan Senyshyn · Answer 2 · Wed Dec 30 2020 03:45:19 GMT+0800 (China Standard Time)

@rossabaker Actually, I was curious if there is any possibility to cover such cases. If not it will be perfect to provide some proper message.
Moreover, it's not just about % literal which is reserved, but ^ and other stuff as well

Ross A. Baker · Answer 3 · Wed Dec 30 2020 04:26:19 GMT+0800 (China Standard Time)

The valid characters are alphanumerics and: / ? : @ - . _ ~ ! $ & ' ( ) * + , ; =. Everything else needs to be percent-encoded to make a valid URI.

It's the backends that are rejecting this.

Blaze just gives a 400 without explanation. We can do better here, and I'll leave the ticket open for that.
Jetty lets it through to Http4sServlet, which responds with an "Invalid request target" message in the body of the 400.
Tomcat intercepts it and gives a (dangerously, IMO) detailed message including information from the request and a stack trace before http4s ever sees it.

Even if the http4s parser got more lenient, many servers won't, so I'd urge you to fix the requests. But we'll make Blaze at least as informative as Jetty here.

Bohdan Senyshyn · Answer 4 · Wed Dec 30 2020 04:50:04 GMT+0800 (China Standard Time)

@rossabaker It would be great to make Blaze more informative for such cases and not only for them. Thanks!

Ryan Peters · Answer 5 · Wed Jan 13 2021 06:49:03 GMT+0800 (China Standard Time)

I left a comment here originally about a separate but similar issue, and realized it would make more sense in a new issue (#4203), sorry for any inconvenience 🙏 it's deleted now.