Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RESTEasy Reactive: paths not properly uri-decoded before matching #30577

Open
FroMage opened this issue Jan 24, 2023 · 4 comments
Open

RESTEasy Reactive: paths not properly uri-decoded before matching #30577

FroMage opened this issue Jan 24, 2023 · 4 comments
Labels
area/rest kind/bug Something isn't working

Comments

@FroMage
Copy link
Member

FroMage commented Jan 24, 2023

Describe the bug

Our URI-matching does not properly match uri-encoded values that are legal path segments. We rely on Vert.x RoutingContext.normalizedPath() which only decodes percent-encoded chars from the unreserved category (see https://www.rfc-editor.org/rfc/rfc3986#section-2.4) but other values which are allowed as part of the path segment will not be decoded prior to matching:

   segment       = *pchar
   segment-nz    = 1*pchar
   segment-nz-nc = 1*( unreserved / pct-encoded / sub-delims / "@" )
                 ; non-zero-length segment without any colon ":"

   pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

   query         = *( pchar / "/" / "?" )

   fragment      = *( pchar / "/" / "?" )

   pct-encoded   = "%" HEXDIG HEXDIG

   unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
   reserved      = gen-delims / sub-delims
   gen-delims    = ":" / "/" / "?" / "#" / "[" / "]" / "@"
   sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
                 / "*" / "+" / "," / ";" / "="

In theory, in a segment, the characters "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" / ":" / "@" do not need to be encoded, but they can, and so if we have an endpoint declared for /$ we should match both /$ and /%24 which decodes to the same thing.

To reproduce:

@Path("/")
public class Endpoint {
 @GET
 @Path("$")
 public String ok() { return "OK"; }
}

Now call wget 'http://localhost:8080/$' and wget 'http://localhost:8080/%24', both should return OK and match the same endpoint.

At the moment, only the first one works. This probably fails for all the other characters I've listed above.

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@FroMage FroMage added the kind/bug Something isn't working label Jan 24, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Jan 24, 2023

/cc @Sgitario (resteasy-reactive), @geoand (resteasy-reactive), @stuartwdouglas (resteasy-reactive)

@FroMage
Copy link
Member Author

FroMage commented Jan 25, 2023

Reproducing project: https://github.com/FroMage/urlencodingbug

@geoand
Copy link
Contributor

geoand commented Jul 21, 2023

Is this still a problem?

@FroMage
Copy link
Member Author

FroMage commented Aug 14, 2023

Unfortunately, yes. I updated the reproducer project.

@rubensa rubensa mentioned this issue Sep 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/rest kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FroMage @geoand