quarkus: Invalid handling of path segments in URLs by "quarkus-resteasy-reactive"
Describe the bug
It looks like path splitting by “quarkus-resteasy-reactive” is slightly broken (“quarkus-resteasy” works), for following case (explained earlier at SO https://stackoverflow.com/questions/76632028/discrepancy-between-reactive-and-non-reactive-quarkus-jax-rs-endpoints-wrt-url-d).
Endpoint like:
@ApplicationScoped
@Path("/path")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class PathResource
{
@GET
@Path("/list/{primaryKey: .+}")
public String pathAsList(@PathParam("primaryKey") List<PathSegment> path)
{
return "As List/std (%d) -> %s".formatted(path.size(), path);
}
when invoked with URL like:
http://localhost:8081/path/list/ab%2Fcd/ef%2Fgh
should produce List of 2 path elements; "ab/cd" and "ef/gh", but actually produces 4 (for “ab”, “cd”, “ef” and “gh”).
This would be due to first decoding the full path and then splitting by slashes; as opposed to reverse.
I have Rest-assured tests to verify behavior difference (see https://github.com/tatu-at-datastax/quarkus-demo/blob/main/src/test/java/com/fasterxml/quarkus/PathResourceTest.java) but the call looks like:
@Test
public void pathAsList() {
given()
.when().get("/path/list/{seg1}/{seg2}", "ab/cd", "ef/gh")
.then()
.statusCode(200)
.body(is("As List/std (2) -> [ab/cd, ef/gh]"));
}
Result is passing test when running against “quarkus-resteasy”, but fail against “quarkus-resteasy-reactive”.
Expected behavior
Decoding of path parameter should split by non-encoded slashes first, then decode path segments; not decode full path and split by all slashes (encoded or not)
Actual behavior
Due to what appears to be pre-mature character entity decoding, path segments are split also by encoded slashes (%2F), not only plain un-encoded ones.
How to Reproduce?
Reproduction included in description, but there is also Github repo:
https://github.com/tatu-at-datastax/quarkus-resteasy-reactive-34586
Output of uname -a or ver
No response
Output of java -version
openjdk version “17.0.6” 2023-01-17 LTS
GraalVM version (if different from Java)
Not tested with graalVM
Quarkus version or git rev
3.2.0.Final
Build tool (ie. output of mvnw --version or gradlew --version)
Apache Maven 3.8.4
Additional information
No response
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 16 (11 by maintainers)
Commits related to this issue
- Fix path segment handling of encoded values Fixes: #34586 — committed to geoand/quarkus by geoand a year ago
- Merge pull request #34809 from geoand/#34586 Fix path segment handling of encoded values — committed to quarkusio/quarkus by geoand a year ago
- Fix path segment handling of encoded values Fixes: #34586 (cherry picked from commit c2285ece187b4d60fe49dfda78f9916866b3aa87) — committed to gsmet/quarkus by geoand a year ago
- Update quarkus.version to v3 (major) (mulk/mulkcms2!27) This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [io.quarkus:quarkus-maven-plugin](https://git... — committed to benkard/mulkcms2 by benkard a year ago
https://github.com/quarkusio/quarkus/pull/34809 should do the trick
@geoand Sorry, security issues have come up so I’ll need to prioritize on them for now
HI @geoand It might be simple to fix, input to the calculation of
List<PathSegment>should be araw, noturl-decodedpath component value, that will give 2 path segment values in this caseThank you @geoand !
Thanks a lot. We’ll have a look soon