Handle encoding characters like `%^{}\|; for query parameters in HttpRoutes
bsenyshyn opened this issue · comments
Description:
If we have to create route with some parameters, like:
case GET -> Root / "data" :? CodeQueryParam(code) +& ShowCurrentDataQueryParam(showCurrentData)
object ShowCurrentDataQueryParam extends OptionalQueryParamDecoderMatcher[Boolean]("showCurrentData")
object CodeQueryParam extends QueryParamDecoderMatcher[String]("code")
And call API with:
http://localhost:8888/data?code=%&showCurrentData=true
or
http://localhost:8888/data?code=111111&showCurrentData=^
We receive 400 Bad Request with no message.
Expected result:
Handle this characters properly or receive corresponding message
Actual result:
400 Bad Request with no message
Version: 1.0.0-M5
Perhaps the decoder could be relaxed, but that's an invalid query string. The %
is a reserved character for percent encoding, and is supposed to be followed by two hex digits. %25
, if you want to represent a literal %
.
Is this client something you have control over, or do you have to support the invalid encoding?
@rossabaker Actually, I was curious if there is any possibility to cover such cases. If not it will be perfect to provide some proper message.
Moreover, it's not just about %
literal which is reserved, but ^
and other stuff as well
The valid characters are alphanumerics and: / ? : @ - . _ ~ ! $ & ' ( ) * + , ; =
. Everything else needs to be percent-encoded to make a valid URI.
It's the backends that are rejecting this.
- Blaze just gives a 400 without explanation. We can do better here, and I'll leave the ticket open for that.
- Jetty lets it through to
Http4sServlet
, which responds with an "Invalid request target" message in the body of the 400. - Tomcat intercepts it and gives a (dangerously, IMO) detailed message including information from the request and a stack trace before http4s ever sees it.
Even if the http4s parser got more lenient, many servers won't, so I'd urge you to fix the requests. But we'll make Blaze at least as informative as Jetty here.
@rossabaker It would be great to make Blaze more informative for such cases and not only for them. Thanks!
I left a comment here originally about a separate but similar issue, and realized it would make more sense in a new issue (#4203), sorry for any inconvenience 🙏 it's deleted now.