Fix for Signing Error when ampersand character included in HttpQuery when using DefaultAwsCrtV4aSigner (#4800)

joviegas · web-flow · commit 722f187b0df0 · 2023-12-27T13:19:43.000-08:00
* Fix for Signing Error when ampersand character included in HttpQuery when using DefaultAwsCrtV4aSigner
diff --git a/.changes/next-release/bugfix-AWSSDKforJavav2-aada2c3.json b/.changes/next-release/bugfix-AWSSDKforJavav2-aada2c3.json
@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "AWS SDK for Java v2",
+    "contributor": "",
+    "description": "Fix for Signing Error when ampersand character included in HttpQuery when using DefaultAwsCrtV4aSigner."
+}
diff --git a/core/auth-crt/src/main/java/software/amazon/awssdk/authcrt/signer/internal/CrtHttpRequestConverter.java b/core/auth-crt/src/main/java/software/amazon/awssdk/authcrt/signer/internal/CrtHttpRequestConverter.java
@@ -16,6 +16,7 @@
 package software.amazon.awssdk.authcrt.signer.internal;
 
 import static java.lang.Math.min;
+import static software.amazon.awssdk.utils.http.SdkHttpUtils.urlDecode;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -82,7 +83,7 @@ public SdkHttpFullRequest crtRequestToHttp(SdkHttpFullRequest inputRequest, Http
         }
 
         builder.encodedPath(fullUri.getRawPath());
-        String remainingQuery = fullUri.getQuery();
+        String remainingQuery = fullUri.getRawQuery();
 
         builder.clearQueryParameters();
         while (remainingQuery != null && remainingQuery.length() > 0) {
@@ -95,14 +96,14 @@ public SdkHttpFullRequest crtRequestToHttp(SdkHttpFullRequest inputRequest, Http
                     queryValue = remainingQuery.substring(nextAssign + 1, nextQuery);
                 }
 
-                builder.appendRawQueryParameter(queryName, queryValue);
+                builder.appendRawQueryParameter(urlDecode(queryName), urlDecode(queryValue));
             } else {
                 String queryName = remainingQuery;
                 if (nextQuery >= 0) {
                     queryName = remainingQuery.substring(0, nextQuery);
                 }
 
-                builder.appendRawQueryParameter(queryName, null);
+                builder.appendRawQueryParameter(urlDecode(queryName), null);
             }
 
             if (nextQuery >= 0) {
diff --git a/core/auth-crt/src/test/java/software/amazon/awssdk/authcrt/signer/internal/CrtHttpRequestConverterTest.java b/core/auth-crt/src/test/java/software/amazon/awssdk/authcrt/signer/internal/CrtHttpRequestConverterTest.java
@@ -25,6 +25,9 @@
 import java.util.List;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
 import software.amazon.awssdk.crt.http.HttpHeader;
 import software.amazon.awssdk.crt.http.HttpRequest;
 import software.amazon.awssdk.crt.http.HttpRequestBodyStream;
@@ -71,6 +74,49 @@ public void request_withHeaders_isConvertedToCrtFormat() {
         assertHttpRequestSame(request, crtHttpRequest);
     }
 
+    public static List<Arguments> specialCharactersEncoding() {
+        return Arrays.asList(
+            Arguments.of("hello world", "hello%20world"),
+            Arguments.of("apple & orange", "apple%20%26%20orange"),
+            Arguments.of("/path/to/resource", "%2Fpath%2Fto%2Fresource"),
+            Arguments.of("search?q=term", "search%3Fq%3Dterm"),
+            Arguments.of("key=value", "key%3Dvalue"),
+            Arguments.of("section#1", "section%231"),
+            Arguments.of("one+two", "one%2Btwo"),
+            Arguments.of("user@domain.com", "user%40domain.com"),
+            Arguments.of("protocol:8080", "protocol%3A8080"),
+            Arguments.of("item1;item2", "item1%3Bitem2"),
+            Arguments.of("apple,orange", "apple%2Corange"),
+            Arguments.of("quoted text", "quoted%20text"),
+            Arguments.of("don't", "don%27t"),
+            Arguments.of("20% discount", "20%25%20discount"),
+            Arguments.of("important!", "important%21"),
+            Arguments.of("(example)", "%28example%29"),
+            Arguments.of("items[1]", "items%5B1%5D"),
+            Arguments.of("{key: 'value'}", "%7Bkey%3A%20%27value%27%7D"),
+            Arguments.of("first line\nsecond line", "first%20line%0Asecond%20line"),
+            Arguments.of("before\rafter", "before%0Dafter"),
+            Arguments.of("left\tcenter\tright", "left%09center%09right")
+        );
+    }
+
+    @ParameterizedTest(name = "{index} {0}")
+    @MethodSource("specialCharactersEncoding")
+    public void request_withSpecialCharactersQueryParams_isConvertedToCrtFormat(String rawParameters, String encodedParameters) {
+        SdkHttpFullRequest request = SdkHttpFullRequest.builder()
+                                                       .method(SdkHttpMethod.GET)
+                                                       .putRawQueryParameter("headerOne", rawParameters)
+                                                       .putHeader("Host", "demo.us-east-1.amazonaws.com")
+                                                       .encodedPath("/path")
+                                                       .uri(URI.create("https://demo.us-east-1.amazonaws.com"))
+                                                       .build();
+        HttpRequest crtHttpRequest = converter.requestToCrt(request);
+        assertThat(crtHttpRequest.getMethod()).isEqualTo("GET");
+        assertThat(crtHttpRequest.getEncodedPath()).isEqualTo(String.format("/path?headerOne=%s", encodedParameters));
+        assertHttpRequestSame(request, crtHttpRequest);
+    }
+
+
     @Test
     public void request_withQueryParams_isConvertedToCrtFormat() {
         SdkHttpFullRequest request = SdkHttpFullRequest.builder()
@@ -87,6 +133,55 @@ public void request_withQueryParams_isConvertedToCrtFormat() {
         assertHttpRequestSame(request, crtHttpRequest);
     }
 
+
+    @Test
+    public void request_withQueryParams_WithAmpersandAndEqualsInKeyAndValue_isConvertedToCrtFormat() {
+        SdkHttpFullRequest request = SdkHttpFullRequest.builder()
+                                                       .method(SdkHttpMethod.GET)
+                                                       .putRawQueryParameter("ampersand&", "one & two")
+                                                       .putRawQueryParameter("equals=", "three = three")
+                                                       .putHeader("Host", "demo.us-east-1.amazonaws.com")
+                                                       .encodedPath("/path")
+                                                       .uri(URI.create("https://demo.us-east-1.amazonaws.com"))
+                                                       .build();
+        HttpRequest crtHttpRequest = converter.requestToCrt(request);
+        assertThat(crtHttpRequest.getMethod()).isEqualTo("GET");
+        assertThat(crtHttpRequest.getEncodedPath()).isEqualTo("/path?ampersand%26=one%20%26%20two&equals%3D=three%20%3D%20three");
+        assertHttpRequestSame(request, crtHttpRequest);
+    }
+
+    @Test
+    public void request_withQueryParams_AmpersandAndEqualsInValue_isConvertedToCrtFormat() {
+        SdkHttpFullRequest request = SdkHttpFullRequest.builder()
+                                                       .method(SdkHttpMethod.GET)
+                                                       .putRawQueryParameter("ampersand", "one & two")
+                                                       .putRawQueryParameter("equals", "three = three")
+                                                       .putHeader("Host", "demo.us-east-1.amazonaws.com")
+                                                       .encodedPath("/path")
+                                                       .uri(URI.create("https://demo.us-east-1.amazonaws.com"))
+                                                       .build();
+        HttpRequest crtHttpRequest = converter.requestToCrt(request);
+        assertThat(crtHttpRequest.getMethod()).isEqualTo("GET");
+        assertThat(crtHttpRequest.getEncodedPath()).isEqualTo("/path?ampersand=one%20%26%20two&equals=three%20%3D%20three");
+        assertHttpRequestSame(request, crtHttpRequest);
+    }
+
+    @Test
+    public void request_withQueryParams_EmptyApersandAndEqualsInValue_isConvertedToCrtFormat() {
+        SdkHttpFullRequest request = SdkHttpFullRequest.builder()
+                                                       .method(SdkHttpMethod.GET)
+                                                       .putRawQueryParameter("&ampersand&", "")
+                                                       .putRawQueryParameter("=equals=", "")
+                                                       .putHeader("Host", "demo.us-east-1.amazonaws.com")
+                                                       .encodedPath("/path")
+                                                       .uri(URI.create("https://demo.us-east-1.amazonaws.com"))
+                                                       .build();
+        HttpRequest crtHttpRequest = converter.requestToCrt(request);
+        assertThat(crtHttpRequest.getMethod()).isEqualTo("GET");
+        assertThat(crtHttpRequest.getEncodedPath()).isEqualTo("/path?%26ampersand%26=&%3Dequals%3D=");
+        assertHttpRequestSame(request, crtHttpRequest);
+    }
+
     @Test
     public void request_withEmptyPath_isConvertedToCrtFormat() {
         SdkHttpFullRequest request = SdkHttpFullRequest.builder()
