Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AwsProxyHttpServletRequest does not respect Base64-encoded request bodies for form POST's #141

Closed
kdhunter opened this issue Apr 5, 2018 · 1 comment
Closed

AwsProxyHttpServletRequest does not respect Base64-encoded request bodies for form POST's #141

kdhunter opened this issue Apr 5, 2018 · 1 comment
Assignees
@sapessi
Labels
bug
Milestone
Release 1.1

Comments

@kdhunter
Copy link

kdhunter commented Apr 5, 2018

  • Framework version: 1.0 (and the code in repository as of the time I'm submitting this)
  • Implementations: Spring

Scenario

If an AwsProxyRequest is submitted which

  1. Is a POST with a Content-Type of application/x-www-form-urlencoded, and
  2. Has its body content Base64-encoded instead of being "in the clear"

then the form parameters are not decoded properly.

AwsProxyHttpServletRequest properly respects base-64 encoding in situations where HttpServletRequest#getInputStream is used, however
AwsProxyHttpServletRequest#getFormUrlEncodedParametersMap uses request.getBody() without checking to see if the body is Base64-encoded.

The offending code snippet:

    Timer.start("SERVLET_REQUEST_GET_FORM_PARAMS");
    String rawBodyContent = request.getBody();

    urlEncodedFormParameters = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
    for (String parameter : rawBodyContent.split(FORM_DATA_SEPARATOR)) {

Expected behavior

Before attempting to decode the parameters out of the body, getFormUrlEncodedParametersMap should check to see if the body of the AwsProxyRequest is Base64-encoded and, if it is, decode the body string before attempting to dissect the parameters.

Actual behavior

getFormUrlEncodedParametersMap fails to check for Base64 encoding of the body, and thus attempts to decode the base64-encoded body string. Since it doesn't see anything that looks like "field1=value1&field2=value2", it fails to transfer any of the parameters into the urlEncodedFormParameters member variable.

Steps to reproduce

AwsProxyRequest request = new AwsProxyRequest();
request.setHttpMethod("POST");
request.setPath("/an/appropriate/path");
request.setHeader("Content-Type", "application/x-www-form-urlencoded");
String body = Base64.getEncoder()
		.encodeToString("field1=value1&field2=value2".getBytes(StandardCharsets.UTF_8));
request.setBody(body);
request.setIsBase64Encoded(true);

and then submit this request to an endpoint expecting a normal form post.

Full log output

No exception is generated - the parameters just "disappear."
@sapessi sapessi self-assigned this Apr 5, 2018
@sapessi sapessi added the bug label Apr 5, 2018
@sapessi sapessi added this to the Release 1.1 milestone Apr 5, 2018
sapessi added a commit that referenced this issue Apr 6, 2018
@sapessi
Changed form parameter parser method to use request input stream inst…
6cd0ab7 
…ead of the raw API Gateway event body to address #141.
@sapessi sapessi mentioned this issue Apr 6, 2018
Merged
@sapessi
Copy link
Collaborator

sapessi commented Apr 6, 2018

Fixed in the latest merge.

@sapessi sapessi closed this as completed Apr 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sapessi sapessi

Labels
bug
Projects
None yet
Milestone
Release 1.1
Development

No branches or pull requests
2 participants
@kdhunter @sapessi