Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Special characters in password are double-encoded when client initialized with host as a string #712

Open
maxfelsher opened this issue Aug 14, 2019 · 2 comments

Comments

@maxfelsher
Copy link

Steps to reproduce:

  • Have a password that includes a special character such as @. For example, p@assword.
  • Incorporate the password into a URL string to be passed to the client. Since "@" is a delimiter in URLs, it has to be percent-encoded, and you end up with a URL like http://user:p%40ssword@127.0.0.1:9200/.
  • Initialize a client and try to search with it: Elasticsearch::Client.new(url: 'http://user:p%40ssword@127.0.0.1:9200/').search('...')

Such a request will be rejected by the server because the password is percent-encoded again, presumably with the assumption that the original password value was not already percent-encoded.

The issue appears to be a combination of the approaches for parsing the host information when the client is initialized and generating the URL for the full request. In particular, the initial parsing (see https://github.com/elastic/elasticsearch-ruby/blob/v7.3.0/elasticsearch-transport/lib/elasticsearch/transport/client.rb#L202) uses URI.split in the case of a string, which does not perform any unescaping. That is, the password attribute will have the value p%40ssword and not p@ssword. Then, at https://github.com/elastic/elasticsearch-ruby/blob/v7.3.0/elasticsearch-transport/lib/elasticsearch/transport/transport/connections/connection.rb#L46, the password is encoded again. I assume the situation also applies to usernames in URLs.

@estolfo
Copy link
Contributor

estolfo commented Aug 15, 2019

Thanks for reporting this @maxfelsher
We'll have an update soon.

@sbocinec
Copy link

I got hit by the same issue. After enabling Finge-grained Access control for an AWS ES domain and creating a master user with password containing special characters ([!@#$%^&*()]) I was getting Elasticsearch::Transport::Transport::Errors::Unauthorized: [401] Unauthorized error.

Only workaround I found was to use a password containing only URL safe characters ([a-Z0-9_-]).

Gem versions:

  • elasticsearch: 7.5.0
  • faraday: 0.17.3

AWS Elasticsearch version: 7.4.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants