Escape Character %2F in Path Parameter of RestInterface Leads to 404

[vnayar]

Summary:

It seems as if URL decoding of URL path parameters happens before path segments are separated, leading the URLRouter to be unable to find matching routes if a path parameter value contains a URL encoded / character as %2F.

Reproduction Steps:

Consider the following example program:

import vibe.vibe;

void main()
{
  auto settings = new HTTPServerSettings;
  settings.port = 8090;
  settings.bindAddresses = ["::1", "127.0.0.1"];
  auto router = new URLRouter();
  router.registerRestInterface(new Api());
  auto listener = listenHTTP(settings, router);
  scope (exit) {
    listener.stopListening();
  }
  logInfo("Please open http://127.0.0.1:8090/ in your browser.");
  runApplication();
}

@path("/api")
interface ApiI {
  @path("/:name/age")
  string getAge(string _name) @safe;
}

class Api : ApiI {
  override
  string getAge(string _name) @safe {
    return _name ~ " is 3 years old.";
  }
}

Called with the :name parameter set to bob works as expected:

l$ curl http://localhost:8090/api/bob/age
"bob is 3 years old."

However, escaping a / character as %2F causes a 404 error. For example, URL encoding the value bob/ham results in bob%2Fham and the following interaction:

$ curl http://localhost:8090/api/bob%2Fham/age
404 - Not Found

Not Found

Internal error information:
No routes match path '/api/bob%2Fham/age'

Expected Result:

For the URL http://localhost:8090/api/bob%2Fham/age, the value bob%2Fham should have been recognized as being the path parameter :name, URL decoded, and then given as the function parameter _name with value bob/ham.

[s-ludwig]

Relevant place in the implementation:

vibe-http/source/vibe/http/router.d

Lines 210 to 215 in 39e7429

	// NOTE: Instead of failing, we just ignore requests with invalid path
	// segments (i.e. containing path separators) here. Any request
	// handlers later in the queue may still choose to process them
	// appropriately.
	try path = (cast(PosixPath)req.requestPath).toString();
	catch (Exception e) return;

In order to allow matching such internal slashes, we'd have to do some deeper changes here, but as long as they are just part of a placeholder, we may get away with replacing slashes in path segments with some Unicode character as a replacement for the matching process. When filling the placeholders later, this would then have to be reverted appropriately.

It does have the disadvantage of being ambiguous for the case where a path segment actually already contains this replacement character in the input and we'd have to think well about possible security implications (and in doubt just ignore request that contain them).

[vnayar]

I added two small changes that should make this possible:

• Add utility to build GenericPaths from unencoded strings. vibe-core#396 - Adds the ability to create a GenericPath from an unencoded string.
• Decode path parameters and encode URLRouter paths. #35 - Depends on the previous PR, replaces logic that aborts if a segment contains a path separator with two changes: decode path parameters during matching, and encode paths during registration of paths in a router.

[vnayar]

Issue is resolved with the merging of #35.