New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
if the device custom protocol contains '&','<','>'characters ,the devsdk_add_device_callback,devsdk_update_device_callback,media_server_remove_device parses protocol incorrectly #465
Comments
The JSON data sent from core-metadata to the Device Service callback function enforces the conversion of string values to valid UTF-8, replacing "<", ">", "&", U+2028, and U+2029 with Unicode escape sequences because they can lead to security holes. For now, the workaround is to perform URL encoding on the mentioned characters before using them in device profile or device configuration and decode them in the device driver. |
@lenny-intel @jpwhitemn The issue arises from the use of json.Marshal, which performs HTML escaping on string values. See https://pkg.go.dev/encoding/json#Marshal.
However, in the context of EdgeX, when system event data is received from the message bus, it is decoded using json.Unmarshal (for those Go services), which includes restoring those escape sequences. In this case, HTML escaping appears to be unnecessary. According to Golang standard library documentation, we can marshal system events to JSON without escaping certain characters. For example:
Another solution is to enhance the JSON parser in iotech-c-utils (https://github.com/IOTechSystems/iotech-c-utils/blob/master/src/c/data.c#L2657-L2664) to handle the Unicode replacement rune properly. @cloudxxx8 for awareness |
it's a kind of breaking change in System Event, so we will not make this change in core-metadata. Please also mention the URL encoding workaround for reference. |
Added this as a known bug on https://wiki.edgexfoundry.org/display/FA/Minnesota |
thanks, @FelixTing , moving this issue to icebox |
Created issue in the utils : IOTechSystems/iotech-c-utils#314 |
This issue has been resolved in iotech-c-utils by @iain-anderson. |
@FelixTing , @cloudxxx8 , is this issue now resolved for 3.1 Napa release? |
@lenny-intel Yes, this issue is now resolved for the Napa release. |
fixed by IOTechSystems/iotech-c-utils#315 |
Closed due to no response. |
Hello there! 😄
🐞 Bug Report
The issue is located in devsdk_add_device_callback,devsdk_update_device_callback,devsdk_emove_device function.These callback functions are triggered normally。
but when using edgex-ui-go add/update/delete device from the metadata service ,
if the device protocol value contains & < > ,
then the protocols param of devsdk_add_device_callback,devsdk_update_device_callback,devsdk_emove_device function
got the Incorrect escape character.
\026 for &
\036 for >
\034 for <
it shoud be
\x26 or \046 for &
\x3e or \076 for >
\x3c or \074 for <
Environment
ubuntu22.04,amd64
**EdgeX Version [REQUIRED]: 3.0.0
device-sdk-c version:3.0.0
i subscribe to the MessageBus. the Redis pub/sub
the & < > character in the message payload is formatted as \u0026 ,\u003c,\u003e
Currently ,
i roughly replace \026 \036 \034 with \x26 \x3e \x3c to solve the problem.
The text was updated successfully, but these errors were encountered: