-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
escaping inconsistent #1220
Comments
this was observed under 3.3.1 and also |
Thanks for the report, @srl295! We've had this issue crop up in the past, looks like we might have a blind spot. |
url.parse("http://example.com/'").href;
// --> http://example.com/%27 |
@shockey this is via node.js API, not browser. And interesting, looking at your inspector… in this case though, the HTTP request isn't wrong, the problem is that what's passed to the interceptor is not what goes out over the wire. The Fetch module does another escaping after the interceptor is done. I think i can make a standalone case for it. |
Ah, got it. My hunch is that this is an implementation difference. Looking forward to a demo for this (a failing test would be great!) |
@srl295 ping? :) |
For: swagger-api#1220 `npm t` gives: > Error: Expected 'percent-twentyseven' to equal 'quote' * Request has a quote (') in it * The interceptor sees req.url ending in quote (') which is a perfectly valid thing for a URL to end in… * However, the xmock shows the actual URL ends in /%27
@webron pong ^ |
For: swagger-api#1220 `npm t` gives: > Error: Expected 'percent-twentyseven' to equal 'quote' * Request has a quote (') in it * The interceptor sees req.url ending in quote (') which is a perfectly valid thing for a URL to end in… * However, the xmock shows the actual URL ends in /%27
@shockey ping ^ ? |
@srl295 pong! will look at this soon 😄 |
@srl295 thank you for reporting this and for providing a failing test. The problem is in node-fetch library that we use when Actual url requested in node.js
Actual url requested in browser fetch("http://localhost:8080/ '") -> url: /%20' The actual problem lies in node-fetch implementation of fetch interface. The implementation is using legacy API instead of new WHATWG URL API. And that is causing inconsistencies. Fortunately [email protected] swichched to new WHATWG URL API. So the moment we switch to major version 3.x of node-fetch this issue will auto-correct. I'm leaving this issue open untill we update node-fetch to 3.x branch. Before closing this issue #1252 needs to be incorporated into our tests to verify that the problem is gone. |
For: swagger-api#1220 `npm t` gives: > Error: Expected 'percent-twentyseven' to equal 'quote' * Request has a quote (') in it * The interceptor sees req.url ending in quote (') which is a perfectly valid thing for a URL to end in… * However, the xmock shows the actual URL ends in /%27
@char0n thanks! |
🎉 This issue has been resolved in version 3.21.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
We ran into an issue IBM-Cloud/gp-js-client#113 where a path component (part of a parameter) was for example
a '
(A, space, quote). Going into the URL Interceptor so that we can add authorization the path was escaped to a URL such ashttp://example.com/api/a%20'
- so far so good. But then, when the request was actually sent, the Fetch module ran the URL throughurl.parse
again, resulting inhttp://example.com/api/a%20%27
. This results in the same logical behavior, however, the exact URL string is different causing our HMAC calculation to be wrong.I worked around this in https://github.com/IBM-Cloud/gp-js-client/pull/114/files#diff-38aee4b3886a621f8daddb4104803472R91 by having an interceptor run
url.parse()
on the URL pre-emptively before HMAC calculation, which makes the later parse a no-op.I was a little surprised that quote (%27) gets escaped as it is acceptable per HTTP. Probably the larger issue is that the escaping that happens within swagger-js should match the escaping that actually goes out on the wire.
The text was updated successfully, but these errors were encountered: