Skip to content
This repository has been archived by the owner on Feb 25, 2022. It is now read-only.

escape or don't use __ow_path to pass external resource url #11

Closed
tripodsan opened this issue Mar 27, 2020 · 3 comments · Fixed by #81
Closed

escape or don't use __ow_path to pass external resource url #11

tripodsan opened this issue Mar 27, 2020 · 3 comments · Fixed by #81
Labels
bug Something isn't working released

Comments

@tripodsan
Copy link
Contributor

tripodsan commented Mar 27, 2020
edited
Loading

Description
this action receives the external resource URL as unescaped path suffix via the __ow_path parameter. this has the drawback, that the query parameters of the resource URL bleed into the action parameters. this makes it volatile to changes in the resource URL, since each extractor needs to anticipate the potential query parameters needed. also, it prevents using query params for real action params.

also see:

Suggestion A

The minimal change that could be done is to url-escape the external resource.

so instead of:

https://adobeioruntime.net/api/v1/web/helix/helix-serivces/data-embed@v1/https://adobe.sharepoint.com/sites/TheBlog/_layouts/15/guestaccess.aspx?share=ESR1N29Z7HpCh1Zfs_0YS_gB4gVSuKyWRut-kNcHVSvkew&email=helix%40adobe.com&e=hx0OUl

we'd use:

https://adobeioruntime.net/api/v1/web/helix/helix-serivces/data-embed@v1/https%3A%2F%2Fadobe.sharepoint.com%2Fsites%2FTheBlog%2F_layouts%2F15%2Fguestaccess.aspx%3Fshare%3DESR1N29Z7HpCh1Zfs_0YS_gB4gVSuKyWRut-kNcHVSvkew%26email%3Dhelix%2540adobe.com%26e%3Dhx0OUl

Suggestion B

an alternative approach is not to use the __ow_path but a normal action parameter, eg:

https://adobeioruntime.net/api/v1/web/helix/helix-serivces/data-embed@v1?r=https%3A%2F%2Fadobe.sharepoint.com%2Fsites%2FTheBlog%2F_layouts%2F15%2Fguestaccess.aspx%3Fshare%3DESR1N29Z7HpCh1Zfs_0YS_gB4gVSuKyWRut-kNcHVSvkew%26email%3Dhelix%2540adobe.com%26e%3Dhx0OUl
@tripodsan tripodsan added the bug Something isn't working label Mar 27, 2020
@tripodsan tripodsan changed the title don't use __ow_path to pass external resource url escape or don't use __ow_path to pass external resource url Mar 27, 2020
@trieloff
Copy link
Contributor

I'd like to keep the change backwards-compatible. This means we could make suggestion B work easily, suggestion A would be a bit harder, but I think we can check for __ow_path starting with either /^https?:\/\/ or /^https%3A%2F%2F/.

Given that we use this approach in helix-embed, too we might even turn this into a generalized wrapper that turns genetic open whisk arguments into cleaned arguments that have a __ow_uri with the extracted or restored URI.

@tripodsan
Copy link
Contributor Author

I think keeping it backward compatible doesn't gain much and only complicates the checks.
I would rather have a breaking change, and use the new major version.

tripodsan added a commit that referenced this issue Jun 9, 2020
@tripodsan
feat: escape path and support 'src' parameter
f43d1d7 
fixes #11
@tripodsan tripodsan mentioned this issue Jun 9, 2020
Merged
tripodsan added a commit that referenced this issue Jun 9, 2020
@tripodsan
feat: escape path and support 'src' parameter (#81)
17c3da4 
fixes #11
trieloff pushed a commit that referenced this issue Jun 9, 2020
@semantic-release-bot
chore(release): 1.6.0 [skip ci]
8a8421c 
# [1.6.0](v1.5.12...v1.6.0) (2020-06-09)

### Features

* escape path and support 'src' parameter ([#81](#81)) ([17c3da4](17c3da4)), closes [#11](#11)
@trieloff
Copy link
Contributor

trieloff commented Jun 9, 2020

🎉 This issue has been resolved in version 1.6.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: escape path and support 'src' parameter adobe/helix-data-embed
2 participants
@trieloff @tripodsan