Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
URL handling is not properly encoding query parameter components according to the spec, this leads to various bugs. Found it requesting reset password emails.
The affecting code is:
directus/api/src/utils/url.ts
Lines 69 to 73 in abde5ad
We cannot be building URLs by hand without non RFC compliant character handling.
Request a password reset request with a reset_url containing encoded characters With the REST api:
reset_url
curl --request POST \ --url "$BASE_URL/auth/password/request" \ --header 'content-type: application/json' \ --data '{ "email": "sample@example.com", "reset_url": "https://example.com/sample-ath?sample_encoded_parameter=sample%2Bvalue%21" }'
Optionally in GraphQL:
mutation auth_password_request { auth_password_request( email: "sample@example.com" reset_url: "https://example.com/sample-ath?sample_encoded_parameter=sample%2Bvalue%21" ) }
As you can see the URL contains a parameter sample_encoded_parameter with the value sample+value! (when encoded corresponds to sample%2Bvalue%21)
sample_encoded_parameter
sample+value!
sample%2Bvalue%21
An email will be sent with the following reset link:
https://example.com/sample-ath?sample_encoded_parameter=sample+value!&token=JWT_TOKEN_REDACTED
Instead we should be receiving
https://example.com/sample-ath?sample_encoded_parameter=sample%2Bvalue%21&token=JWT_TOKEN_REDACTED
Directus is unescaping the query parameters, and they should be kept as is (here demonstrated for values, but affects keys too).
No response
9.22.4
18.13.0
(not relevant) PostgreSQL 13
(not relevant) Chrome
locally and Docker PaaS is not affected
The text was updated successfully, but these errors were encountered:
Linear: ENG-476
Sorry, something went wrong.
Successfully merging a pull request may close this issue.
Describe the Bug
URL handling is not properly encoding query parameter components according to the spec, this leads to various bugs. Found it requesting reset password emails.
The affecting code is:
directus/api/src/utils/url.ts
Lines 69 to 73 in abde5ad
We cannot be building URLs by hand without non RFC compliant character handling.
To Reproduce
Request a password reset request with a
reset_urlcontaining encoded charactersWith the REST api:
curl --request POST \ --url "$BASE_URL/auth/password/request" \ --header 'content-type: application/json' \ --data '{ "email": "sample@example.com", "reset_url": "https://example.com/sample-ath?sample_encoded_parameter=sample%2Bvalue%21" }'Optionally in GraphQL:
As you can see the URL contains a parameter
sample_encoded_parameterwith the valuesample+value!(when encoded corresponds tosample%2Bvalue%21)An email will be sent with the following reset link:
Instead we should be receiving
Directus is unescaping the query parameters, and they should be kept as is (here demonstrated for values, but affects keys too).
Errors Shown
No response
What version of Directus are you using?
9.22.4
What version of Node.js are you using?
18.13.0
What database are you using?
(not relevant) PostgreSQL 13
What browser are you using?
(not relevant) Chrome
How are you deploying Directus?
locally and Docker
PaaS is not affected
The text was updated successfully, but these errors were encountered: