Ruby: Avoid double escaping path items (#3093)

ccouzens · autopp · commit 4e9d2264430a · 2019-06-05T19:54:23.000+09:00
`URI.encode` is obsolete. `CGI.escape`, `URI.encode_www_form` or `URI.encode_www_form_component` are recommended instead. https://ruby-doc.org/stdlib-2.6/libdoc/uri/rdoc/URI/Escape.html#method-i-escape URI.encode has different behaviour to CGI.escape: ```ruby URI.encode('hello/world?test%string') => "hello/world?test%25string" CGI.escape('hello/world?test%string') => "hello%2Fworld%3Ftest%25string" ``` I recently raised pull request #3039 201cbdc That pull request escapes path items at insertion. Before either pull request, the path item 'hello?world' would go into the URL as 'hello?world'. That behaviour was insecure as if an attacker could control the path item value, they could change the URL the application connected to. After #3039 'hello?world' would go in as 'hello%253Fworld'. This was safer than before, but it's still not correct. If I'd realised at the time, I would have made it correct at the time. What this pull request does is make it go in as 'hello%35world', which is correct. ApiClient::build_request_url was URI.encoding the whole path. This wasn't protecting against all undesirable characters in the path items, but was escaping % characters a 2nd time which was unhelpful. I have additionally removed URI.encode from Configuration::base_url as I can't see any benefit it could be bringing. There is no justification for it in the commit where it was originally added: 47c8597
diff --git a/modules/openapi-generator/src/main/resources/ruby-client/api.mustache b/modules/openapi-generator/src/main/resources/ruby-client/api.mustache
@@ -2,7 +2,6 @@
 {{> api_info}}
 =end
 
-require 'uri'
 require 'cgi'
 
 module {{moduleName}}
diff --git a/modules/openapi-generator/src/main/resources/ruby-client/api_client.mustache b/modules/openapi-generator/src/main/resources/ruby-client/api_client.mustache
@@ -7,7 +7,6 @@ require 'json'
 require 'logger'
 require 'tempfile'
 require 'typhoeus'
-require 'uri'
 
 module {{moduleName}}
   class ApiClient
@@ -256,7 +255,7 @@ module {{moduleName}}
     def build_request_url(path)
       # Add leading and trailing slashes to path
       path = "/#{path}".gsub(/\/+/, '/')
-      URI.encode(@config.base_url + path)
+      @config.base_url + path
     end
 
     # Builds the HTTP request body
diff --git a/modules/openapi-generator/src/main/resources/ruby-client/configuration.mustache b/modules/openapi-generator/src/main/resources/ruby-client/configuration.mustache
@@ -2,8 +2,6 @@
 {{> api_info}}
 =end
 
-require 'uri'
-
 module {{moduleName}}
   class Configuration
     # Defines url scheme
@@ -166,8 +164,7 @@ module {{moduleName}}
     end
 
     def base_url
-      url = "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
-      URI.encode(url)
+      "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
     end
 
     # Gets API key (with prefix if set).
diff --git a/samples/client/petstore/ruby/lib/petstore/api/another_fake_api.rb b/samples/client/petstore/ruby/lib/petstore/api/another_fake_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/client/petstore/ruby/lib/petstore/api/fake_api.rb b/samples/client/petstore/ruby/lib/petstore/api/fake_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/client/petstore/ruby/lib/petstore/api/fake_classname_tags123_api.rb b/samples/client/petstore/ruby/lib/petstore/api/fake_classname_tags123_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/client/petstore/ruby/lib/petstore/api/pet_api.rb b/samples/client/petstore/ruby/lib/petstore/api/pet_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/client/petstore/ruby/lib/petstore/api/store_api.rb b/samples/client/petstore/ruby/lib/petstore/api/store_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/client/petstore/ruby/lib/petstore/api/user_api.rb b/samples/client/petstore/ruby/lib/petstore/api/user_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/client/petstore/ruby/lib/petstore/api_client.rb b/samples/client/petstore/ruby/lib/petstore/api_client.rb
@@ -15,7 +15,6 @@
 require 'logger'
 require 'tempfile'
 require 'typhoeus'
-require 'uri'
 
 module Petstore
   class ApiClient
@@ -262,7 +261,7 @@ def sanitize_filename(filename)
     def build_request_url(path)
       # Add leading and trailing slashes to path
       path = "/#{path}".gsub(/\/+/, '/')
-      URI.encode(@config.base_url + path)
+      @config.base_url + path
     end
 
     # Builds the HTTP request body
diff --git a/samples/client/petstore/ruby/lib/petstore/configuration.rb b/samples/client/petstore/ruby/lib/petstore/configuration.rb
@@ -10,8 +10,6 @@
 
 =end
 
-require 'uri'
-
 module Petstore
   class Configuration
     # Defines url scheme
@@ -174,8 +172,7 @@ def base_path=(base_path)
     end
 
     def base_url
-      url = "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
-      URI.encode(url)
+      "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
     end
 
     # Gets API key (with prefix if set).
diff --git a/samples/openapi3/client/petstore/ruby/lib/petstore/api/another_fake_api.rb b/samples/openapi3/client/petstore/ruby/lib/petstore/api/another_fake_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/openapi3/client/petstore/ruby/lib/petstore/api/default_api.rb b/samples/openapi3/client/petstore/ruby/lib/petstore/api/default_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/openapi3/client/petstore/ruby/lib/petstore/api/fake_api.rb b/samples/openapi3/client/petstore/ruby/lib/petstore/api/fake_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/openapi3/client/petstore/ruby/lib/petstore/api/fake_classname_tags123_api.rb b/samples/openapi3/client/petstore/ruby/lib/petstore/api/fake_classname_tags123_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/openapi3/client/petstore/ruby/lib/petstore/api/pet_api.rb b/samples/openapi3/client/petstore/ruby/lib/petstore/api/pet_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/openapi3/client/petstore/ruby/lib/petstore/api/store_api.rb b/samples/openapi3/client/petstore/ruby/lib/petstore/api/store_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/openapi3/client/petstore/ruby/lib/petstore/api/user_api.rb b/samples/openapi3/client/petstore/ruby/lib/petstore/api/user_api.rb
@@ -10,7 +10,6 @@
 
 =end
 
-require 'uri'
 require 'cgi'
 
 module Petstore
diff --git a/samples/openapi3/client/petstore/ruby/lib/petstore/api_client.rb b/samples/openapi3/client/petstore/ruby/lib/petstore/api_client.rb
@@ -15,7 +15,6 @@
 require 'logger'
 require 'tempfile'
 require 'typhoeus'
-require 'uri'
 
 module Petstore
   class ApiClient
@@ -262,7 +261,7 @@ def sanitize_filename(filename)
     def build_request_url(path)
       # Add leading and trailing slashes to path
       path = "/#{path}".gsub(/\/+/, '/')
-      URI.encode(@config.base_url + path)
+      @config.base_url + path
     end
 
     # Builds the HTTP request body
diff --git a/samples/openapi3/client/petstore/ruby/lib/petstore/configuration.rb b/samples/openapi3/client/petstore/ruby/lib/petstore/configuration.rb
@@ -10,8 +10,6 @@
 
 =end
 
-require 'uri'
-
 module Petstore
   class Configuration
     # Defines url scheme
@@ -174,8 +172,7 @@ def base_path=(base_path)
     end
 
     def base_url
-      url = "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
-      URI.encode(url)
+      "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
     end
 
     # Gets API key (with prefix if set).
