-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Follow up #2150: Special chars in values of query strings #2191
Comments
Possible duplicate of #2143 |
@int0x81, welcome to your assignment! |
@int0x81 Finn, where are you? Are you available? |
If you have started the issue, please inform me and Guillaume with a message in the #2132 thread.
🆗 Wishing you a speedy and an easy recovery!
I haven't assigned priority labels to the tickets on your mentoring board, so you're free to tackle them in any order. Please consider this follow-up task after you've completed #2132. |
@raman-m I tried to move items on the projects board last week, but it seems I do not have permission. |
@int0x81 OK I've moved the ticket. Guillaume (@ggnaegi) should have this permission, because he is the member of the team.
|
hey @raman-m I would like to provide you with a quick status update: I am working on the issue right now and digging deeper into the URL replacement logic. Unfortunately, it takes longer than expected for me to understand the whole logic. Especially the test cases are quite hard to read :/. I also have another task within my company ATM but I will come up with a first draft PR on Friday that (hopefully fixes issue #2150) |
@int0x81 Sure thing, you have to prioritize your employer's tasks 😄 not to be hangry 🥲
I believe it would be beneficial to begin with debugging the unit test.
Apologies, but are we experiencing a readability issue with the unit test, or it difficult for you to read English texts? The unit test consists solely of a series of private methods. I am quite perplexed, as I am unsure how to assist you... So, ask your boss, Guillaume: he knows Ocelot C# code well.
LoL! Remember, developer: Friday is a pay day in USA 😄 |
Hello @raman-m, hello @ggnaegi I think I investigated the Software enough to understand the issue but Currently, the I believe the {path} template value should never contain the unescaped query. The only solution that I see right now is, to change that logic in the What do you think? |
@int0x81 I haven't tried myself, but the method The ParseQueryString method uses UTF8 format to parse the query string In the returned NameValueCollection, URL encoded characters are decoded and multiple occurrences of the same query string parameter are listed as a single entry with a comma separating each value. so you might aswell try with Your approach could work though... |
After even more investigations I am not quite sure if this test case even makes sense ( @raman-m , If I am missing something, please explain) As far as I reverse-engineered it, the 'DownstreamUrlCreatorMiddleware' can only receive such a query if
The current 'MergeQueryStringsWithoutDuplicateValues' already uses the ParseQueryString method, but still fails to function with the query specific in this issue. I don't think I can write a better implementation than Microsoft 😄 |
Yes, right!
Bingo!🔥 The
Security concerns? That may be valid. Therefore, I believe there are no security issues in this context. The merging of query parameters is an important feature of Ocelot. |
The unit test just will help you to refactor the
Probably true, But this fact can be easily checked by acceptance test. Just add new test data to existing theory and you will see what's hapenning.
No, we will not implement such validations, but it makes sense as a 2nd possible solution if we will fail with refactoring of the 'MergeQueryStringsWithoutDuplicateValues' method.
Please do not be nervous. As a team, we do require you to reimplement the default Microsoft functionality. The issue is more profound, and the requirement is clear: we need to verify special characters in the query parameters. Please read #2181 discussion: You will understand the problem. You need to reuse test data from this thread. I will allow you to complete this and rectify my mistakes from the previous refactoring 🙈 |
Bug lives hereOcelot/src/Ocelot/DownstreamUrlCreator/Middleware/DownstreamUrlCreatorMiddleware.cs Line 121 in e9a8bfc
it should be: private static string MapQueryParameter(KeyValuePair<string, string> pair)
=> $"{pair.Key}={HttpUtility.UrlEncode(pair.Value, Encoding.UTF8)}"; Don't say me Thank You )) |
@raman-m |
Alright, I will try to tackle #2132 this week 👍 |
Follow up #2150
Regex
constructor derived from URL query parameter values containing specialRegex
chars #2150Special chars in values of query strings
A 3rd additional test case:
The third test has revealed issues within the middleware logic, indicating that this test case is likely to fail. The
MergeQueryStringsWithoutDuplicateValues
method struggles to handle URLs containing query strings with special characters, such asRegex
patterns and reserved URL specification characters. This issue became apparent in release 20.0.0 during the refactoring of theMergeQueryStringsWithoutDuplicateValues
method, which aimed to integrate existing and new logic (for example OData filters in query parameters, with bug fixes, with new feature for query string placeholders). Regrettably, the method fails to process special characters in parameter values.Originally posted by @raman-m in #2150 (comment)
Subject
Unit tests
Ocelot/test/Ocelot.UnitTests/DownstreamUrlCreator/DownstreamUrlCreatorMiddlewareTests.cs
Lines 614 to 618 in d310508
Acceptance tests
Ocelot/test/Ocelot.AcceptanceTests/Routing/RoutingTests.cs
Lines 1171 to 1175 in d310508
The text was updated successfully, but these errors were encountered: