Fix the issue encountered when the value of queries starting with '{'#555
Conversation
|
I feel like this is yuk. Yuk that it requires so much care, but this is
sort of par for the course.
Since adding a public api, probably good to javadoc when you need this.
Also note in comment where used. If there is a way to make ribbon break
without. Test there would be nice too
…On 25 Apr 2017 17:36, "Echo19890615" ***@***.***> wrote:
When using RibbonClient, the starting %7B in the value of queries would
be replaced with {. For example, a request URL like
http://example.com/q?p=%7Baaa%7D would become http://example.com/q?p={aaa}
after passing toRequest() in feign.ribbon.LBClient.
This issue could make feign not able to play with newer versions of Tomcat
after fixing CVE-2016-6816.
------------------------------
You can view, comment on, or merge this pull request online at:
#555
Commit Summary
- fix: support the query values starting with {, when use
RibbonClient。different from #540.
File Changes
- *M* core/src/main/java/feign/RequestTemplate.java
<https://github.com/OpenFeign/feign/pull/555/files#diff-0> (45)
- *M* core/src/test/java/feign/RequestTemplateTest.java
<https://github.com/OpenFeign/feign/pull/555/files#diff-1> (10)
- *M* ribbon/src/main/java/feign/ribbon/LBClient.java
<https://github.com/OpenFeign/feign/pull/555/files#diff-2> (2)
Patch Links:
- https://github.com/OpenFeign/feign/pull/555.patch
- https://github.com/OpenFeign/feign/pull/555.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#555>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAD614c7R-glXxEUtwYQ-xcZR8wfgIkKks5rzb63gaJpZM4NHOyx>
.
|
|
i am puzzled, is this a bug? |
|
Hi, adriancole IMHO this is a serious issue. That makes a request with queries whose value is a json string have chance to get a response with code 400 since the request line contains "unwise" characters referring to RFC 2396. We want to use Ribbon in our project & are really appreciate that Feign can reduce our work. So we do this to make Feign suitable for wider use.
|
|
just an aside, I think there's other types of things that will probably break similarly.. iirc there was some outstanding work due to elasticsearch's query api as well. |
| } | ||
|
|
||
| /** | ||
| * Append the specified {@code value} to {@code url} without decoding or encoding. Append all |
There was a problem hiding this comment.
lots of doc. but no example. forward referencing to ribbon probably won't help people understand.
Try to shorten this to maybe two succinct sentences and an example.
Ex.
Like {@link #foo} except ..
<p> <-- note p not br and the newline break makes it easy to read, too..
ex if your input is X unless you call this method, it would become Y
| import java.util.Map; | ||
| import java.util.Map.Entry; | ||
|
|
||
| import static feign.Util.CONTENT_LENGTH; |
|
|
||
| @Test | ||
| public void appendDirectlytest() throws Exception { | ||
| String url = "http://test.feign.com/query?params=%7b%22int%22%3a1%2c%22string%22%3a%22str%22%7d"; |
There was a problem hiding this comment.
comment why we care. ex people won't necessarily be able to understand that this is escaped json (if it is)
| return new RequestTemplate() | ||
| .method(request.method()) | ||
| .append(getUri().toASCIIString()) | ||
| .appendDirectly(getUri().toASCIIString()) |
There was a problem hiding this comment.
since this is only added for ribbon, there should be a test here.
There was a problem hiding this comment.
the junit for RibbonRequest.toRequest() has been added, please review
| return new RequestTemplate() | ||
| .method(request.method()) | ||
| .append(getUri().toASCIIString()) | ||
| .appendDirectly(getUri().toASCIIString()) |
There was a problem hiding this comment.
wait.. couldn't this be much easier by just making a request?
There was a problem hiding this comment.
like this..
Request toRequest() {
return Request.create(
request.method(),
getUri().toASCIIString(),
request.headers(),
request.body(), request.charset()
);
}There was a problem hiding this comment.
Using Request.create() is exactly easier to make an orignal request, thanks for reminding :) . But the old code(use append) has the logic that add the header "Content-Length" to the request. Base on keeping the old logic and code reuse, should we continue to use appendDirectly()?
|
I think based on how confusing the alternative is, and that it requires a
new public api to implement it.. stick with Request.create until that
becomes a problem. That way, this can be a patch release
|
…junit" This reverts commit c48d8c8.
…junit test" This reverts commit 821c9d4.
…nClient。different from OpenFeign#540." This reverts commit 6ccea8a.
…t, by using Request.create()
|
| final byte[] body = request.body(); | ||
| final int bodyLength = body != null ? body.length : 0; | ||
| // create a new Map to avoid side effect, not to change the old headers | ||
| Map<String, Collection<String>> headers = new HashMap<String, Collection<String>>(); |
There was a problem hiding this comment.
please use LinkedHashMap as this ensures tests don't flake on iteration order
| assertEquals(requestOrign.charset(), requestGetFormToRequest.charset()); | ||
| assertNotNull(requestOrign.headers()); | ||
| assertEquals(0, requestOrign.headers().size()); // double check the baseline Request | ||
| assertNotNull(requestGetFormToRequest.headers()); // double check the baseline Request, header is not null, but empty |
There was a problem hiding this comment.
avoid checks that are duplicated from constructor (I think it isn't possible that this is null)
| Request requestGetFormToRequest = ribbonRequest.toRequest(); | ||
|
|
||
| // test the same attributes | ||
| assertEquals(requestOrign.method(), requestGetFormToRequest.method()); |
There was a problem hiding this comment.
this test is kindof hard to read. Can you look at other unit tests? you'll notice we use assertj which is helpful
|
if you don't mind, try and cleanup for merge in the next couple days so we can get this out over the weekend. Will be doing a release then. cc @jfuerth |
…st by using assertj
|
LGTM let me know if you are ready for merge |
|
Of course! Feel free to merge it. |
…OpenFeign#555) support the query values starting with {, when use RibbonClient。different from OpenFeign#540.
3 participants
When using RibbonClient, the starting
%7Bin the value of queries would be replaced with{. For example, a request URL likehttp://example.com/q?p=%7Baaa%7Dwould becomehttp://example.com/q?p={aaa}after passingtoRequest()in feign.ribbon.LBClient.This issue could make feign not able to play with newer versions of Tomcat after fixing CVE-2016-6816.