Safely Pass Percent Symbols in Paths

[metaskills]

Here is an example of running local Rails under Puma with something like /test/dwef782jkif%3d in the path:

Started GET "/test/dwef782jkif%3d" for 172.19.0.1 at 2023-07-07 19:19:30 +0000
Processing by ApplicationController#test as HTML
  Parameters: {"path"=>"dwef782jkif="}
Completed 200 OK in 2ms (ActiveRecord: 0.0ms | Allocations: 113)

Prior to this change, here is what it looked like in Lambda with Lamby:

Started GET "/test/dwef782jkif=" for 98.166.4.233 at 2023-07-07 19:11:39 +0000
Processing by ApplicationController#test as HTML
  Parameters: {"path"=>"dwef782jkif="}
Completed 200 OK in 2ms (ActiveRecord: 0.0ms | Allocations: 114)

We learned the same lessons with query params, always trust Raw. Thankfully, HTTP v2 allows that to happen.

ℹ️ There are some folks that use AWS::ApiGatewayV2::Integration with API Gateway to proxy requests to AWS Services like Lambda, but the mapping request parameter tooling (https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-aws-services.html) does not provide a way to get to the raw value. RIP 🪦

[drinks]

Looks like it should make the url encoding issue disappear. Only concern would be that if folks are using lamby with path overwrites today, this change will break their routing -- the previous version used path directly and this will use rawPath if path and rawPath aren't equal -- which could be because of an encoding issue, or because the user has manipulated the path in their integration.

[metaskills]

using lamby with path overwrites today

This feels real far off the beaten path. Was that pun bad? lol

On a serious note, what does that mean? Most folks use Lamby like we do, simple SAM/HTTPv2 proxy and when issues happen we get reports. I'm not sure how or why folks would write their own integration outside of SAM but assuming that is what you're talking about? If so, I'd be more worried about folks that wrote custom code in their Rails app to work around this vs filing an issue. Does that make sense?

[drinks]

This feels real far off the beaten path

Sure, totally valid.

On a serious note, what does that mean?

Just pointing out that I could deploy a lamby app as a standalone with no http layer in front of it, and use a lambda proxy integration to invoke it from a decoupled gateway. If I were applying path overwrites in such a context, they would have worked in the previous release, but would break in this one.

I think it's probably ok to simply note that in the Changelog, just pointing out the possibility.

[metaskills]

Thanks, I'll call out those in the changelog.