Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid URL character cause panic #331

Closed
DCjanus opened this issue Dec 9, 2021 · 7 comments
Closed

Invalid URL character cause panic #331

DCjanus opened this issue Dec 9, 2021 · 7 comments
Assignees
@rcoh
Labels
bug This issue is a bug.

Comments

@DCjanus
Copy link

DCjanus commented Dec 9, 2021

Bug Report

Version

aws_sdk_s3 0.2.0 and main branch on github which commit hash is 6feb50d

Platform

Linux DCjanusArchLinuxNUC10 5.15.7-arch1-1 #1 SMP PREEMPT Wed, 08 Dec 2021 14:33:16 +0000 x86_64 GNU/Linux

AWS Services

S3

Description

This code cause panic

#[tokio::test]
async fn test_invalid_key() {
    let config = aws_sdk_s3::Config::builder().build();

    aws_sdk_s3::input::HeadObjectInput::builder()
        .bucket("test")
        .key("<")
        .build()
        .unwrap()
        .make_operation(&config)
        .await;
}

Panic message:

thread 'test_invalid_key' panicked at 'should be valid request: http::Error(InvalidUri(InvalidUriChar))', sdk\s3\src\input.rs:14854:28
@DCjanus DCjanus added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 9, 2021
@rcoh
Copy link
Contributor

rcoh commented Dec 9, 2021

thanks for the report! we'll investigate and get a fix out ASAP

@rcoh rcoh self-assigned this Dec 9, 2021
@rcoh rcoh removed the needs-triage This issue or PR still needs to be triaged. label Dec 9, 2021
@DCjanus
Copy link
Author

DCjanus commented Dec 9, 2021
edited
Loading

Code from here:

aws-sdk-rust/sdk/aws-smithy-http/src/label.rs

Line 18 in 6feb50d

percent_encoding::utf8_percent_encode(t.as_ref(), uri_set).to_string()

Looks like we percent encode when character hit the blacklist, but in the real world, input could be really unexpected, and we should encode characters that not on the whitelist.

Since we are using reqwest and http, there is a builtin whitelist

@DCjanus
Copy link
Author

DCjanus commented Dec 9, 2021
edited
Loading

BTW, maybe we should avoid unwrap or expect as much as we can, since most AWS SDK type is not UnwindSafe.

Which means, I can't use futures::future::FutureExt::catch_unwind to recover my server from panic, which is really horrible.

I don't think expect like this is a good idea, maybe we should return error rather than panic

    fn assemble(
        builder: http::request::Builder,
        body: aws_smithy_http::body::SdkBody,
    ) -> http::request::Request<aws_smithy_http::body::SdkBody> {
        builder.body(body).expect("should be valid request")
    }

@rcoh
Copy link
Contributor

rcoh commented Dec 9, 2021

yeah we will add more exhaustive testing—generally the SDK should never panic when dispatching requests, so this is a bug (and the expect here quickly alerted you to the issue)

@DCjanus
Copy link
Author

DCjanus commented Dec 9, 2021

Sounds good to me, thanks for your help.

rcoh added a commit to smithy-lang/smithy-rs that referenced this issue Dec 9, 2021
@rcoh
Fix label & query URI encoding
6c6f8bc 
awslabs/aws-sdk-rust#331 demonstrated that we were failing to properly encode characters for URI path components and query components in several situation. This:
- Fixes the specific bugs
- Adds proptests (run locally with 16K cases) to verify that this is the complete set.
- Adds an S3-specific protocol test that targets this issue
@rcoh rcoh mentioned this issue Dec 9, 2021
Merged
4 tasks
rcoh added a commit to smithy-lang/smithy-rs that referenced this issue Dec 9, 2021
@rcoh
Fix label & query URI encoding
ad7cdc5 
awslabs/aws-sdk-rust#331 demonstrated that we were failing to properly encode characters for URI path components and query components in several situation. This:
- Fixes the specific bugs
- Adds proptests (run locally with 16K cases) to verify that this is the complete set.
- Adds an S3-specific protocol test that targets this issue
@rcoh rcoh mentioned this issue Dec 9, 2021
Closed
rcoh added a commit to smithy-lang/smithy-rs that referenced this issue Dec 9, 2021
@rcoh
Fix label & query URI encoding (#953)
fe0b125 
* Fix label & query URI encoding

awslabs/aws-sdk-rust#331 demonstrated that we were failing to properly encode characters for URI path components and query components in several situation. This:
- Fixes the specific bugs
- Adds proptests (run locally with 16K cases) to verify that this is the complete set.
- Adds an S3-specific protocol test that targets this issue

* Make the test a bit stronger

* Update changelog
@rcoh
Copy link
Contributor

rcoh commented Dec 9, 2021

Thanks for reporting & debugging! the fix for this has landed upstream and will go out in the next release!

@rcoh rcoh added the pending-release This issue will be fixed by an approved PR that hasn't been released yet. label Dec 9, 2021
@rcoh rcoh closed this as completed Dec 17, 2021
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@rcoh rcoh removed the pending-release This issue will be fixed by an approved PR that hasn't been released yet. label Nov 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rcoh rcoh

Labels
bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rcoh @DCjanus