Transformation params not properly URL escaped

[stirkac]

Bug report for Cloudinary Ruby SDK

Before proceeding, please update to latest version and test if the issue persists - DONE

Describe the bug in a sentence or two.

If the parameters passed to transformation contain a double quote, they are not properly escaped when formulating cloudinary URL, causing invalid URL to be generated

Issue Type (Can be multiple)

• Build - Cannot install or import the SDK
• Performance - Performance issues
• Behaviour - Functions are not working as expected (such as generate URL)
• Documentation - Inconsistency between the docs and behaviour
• Other (Specify)

Steps to reproduce

Run
Cloudinary::Utils.cloudinary_url(VIDEO_ID_HERE,{ resource_type: "video", transformation: [{color: '"abc', overlay: { font_family: "Times", font_size: 12, font_weight: "bold", text: "..." }}])

note the '"abc' for the color

Error screenshots or Stack Trace (if applicable)

Operating System

• Linux
• Windows
• macOS
• All

Environment and Libraries (fill in the version numbers)

• Cloudinary Ruby SDK version - cloudinary (1.29.0)
• Ruby Version - ruby 3.3.0
• Rails Version - Rails 7.1.3.2

[wissam-khalili]

Hi @stirkac ,

Thank you for reaching out.

The example you have provided won't work and you will get:
X-Cld-Error: Invalid color name "abc
Whether we encode it or not - it will not work.

Could you share your use case?
If it's possible, can you provide some other parameter that works if you encode it and we are not encoding?

Best Regards,
Wissam

[stirkac]

Sorry, I made an assumption, but the actual value can be seen from the screenshot that is added: "#e6e6e640
It was an accidental discovery, by pasting the value with the quotation mark. It's hard for me to share the exact code because transformation hash is dynamically constructed, but if it helps, here's the replicated use case with everything in plain sight:

{"resource_type":"video","sign_url":true,"secure":true,"delivery_type":"authenticated","transformation":[{"color":"\"#e6e6e640","overlay":{"font_family":"Times","font_size":20,"font_weight":"bold","text":"Order #1419 for seb as - [email protected] on Thu, Mar 28, 24"}},{"effect":"anti_removal:90","flags":"layer_apply","gravity":"center"}]}

and the resulting url:
https://res.cloudinary.com/dymk9xwef/video/upload/s--DIhny0fj--/co_\"#e6e6e640,l_text:Times_20_bold:Order%20%231419%20for%20seb%20as%20-%20sebastjan%40shopcircle.co%20on%20Thu%252C%20Mar%2028%252C%2024/e_anti_removal:90,fl_layer_apply,g_center/dance-2.mp4

[wissam-khalili]

Hi @stirkac,

We do encode color, if a valid color is passed, for example, #e6e6e640 so in the resulting url it will be encoded to: co_rgb:e6e6e640. We do not sanitize input (strip spaces, quotes, etc).
I hope this is helpful.
Regards,
Wissam