Add support for parsing query string in QueryParameters #10521
Conversation
| private static Map<String, List<String>> parseQueryString( | ||
| String queryString) { | ||
| List<NameValuePair> params = URLEncodedUtils.parse(queryString, | ||
| StandardCharsets.UTF_8); |
There was a problem hiding this comment.
The only place where apache.http.client is used is in devmode for downloading node - that has been copied from frontend-maven-plugin. And that code should be removed from flow-server to its own place so that would not be leaking to user applications. But this is not your fault.
But if you introduce a further dependency to it, then it will be more difficult for us to make this refactoring.
This code is not the same exactly, but close to what Location does too to query parameters. Would it be possible to reuse-modify the code there instead ?
There was a problem hiding this comment.
I will move the code from Location.parseParams to replace this. Would have helped a lot if it had been in the correct class earlier.
Sadly the implementation is partly broken so it also needs to be fixed at the same time
There was a problem hiding this comment.
Overall I don't understand why we have this generic util methods implemented in the framework in a slightly broken way when there are perfectly fine and tested util libraries out there that you can use.
The current method needed two fixes to be compatible with what HttpServletRequest.getParameters returns:
- It needs to decode values
- A parameter like "?hello" should map to an empty string and not no value at all like the old method did
Hopefully this does not break something else then
There was a problem hiding this comment.
Overall I don't understand why we have this generic util methods implemented in the framework in a slightly broken way when there are perfectly fine and tested util libraries out there that you can use
The problem is the broken code in the code base. We should not try reinvent the wheel, but also not bring in libraries only to depend on a subset of the code there. It is a balancing act.
There was a problem hiding this comment.
If you want to avoid external dependencies, there is always the possibility of rebasing the given class and including it directly in the project. Then it is possible to update it etc for new releases, there are no conflicts and no dependencies either
There was a problem hiding this comment.
Yes I think that is the least bad solution, to copy-paste the code and update it manually, in case the code cannot be / is not released as a standalone module.
There was a problem hiding this comment.
So should we do it here? In that case I would revert to the original version more or less to use the lib and then make a separate PR about including it directly in the project instead of as a dependency
There was a problem hiding this comment.
Because of the internal dependencies, it might not make sense to copy paste... It would lead to extracting the whole httpcore jar into the project
There was a problem hiding this comment.
One question and suggestion (for the code in another comment).
--
The changes in this PR are fine, but when I look at the code flow (which this PR doesn't change, just the implementation), it does smell a bit. It seems like the code in the framework could be (later) improved to
- only parse the query parameters when needed
- cache the query strings for the ongoing request, now parse again and again
- see if the query string parsing code from the http request implementation could be reused, like from
AtmosphereRequestsince it handles both 1+2 from above
I can create an issue for this after this is merged.
| @@ -97,6 +99,66 @@ public static QueryParameters simple(Map<String, String> parameters) { | |||
| entry -> Collections.singletonList(entry.getValue()))); | |||
| } | |||
|
|
|||
| /** | |||
| * Creates parameters from a query string. | |||
| * | |||
There was a problem hiding this comment.
I think the code is fine. But as the string can come from the user, this parsing might be a subject for DoS exploit, but I think the computations done inside the stream-map-collect are so simple that the query string limit of 1024 characters should not make it exploitable. Do you agree ?
I would consider adding some clarification to the method javadocs that this is code here is not checking for the length of the given query string - it is the responsibility of the caller.
There was a problem hiding this comment.
Where would the DoS exploit possibility come from?
There was a problem hiding this comment.
Like discussed separately, from using this code to parse a string that originates from client and it is very very long and because it is for some reason limited to 1024. This comment is enough for now.
| * @return query parameters information | ||
| */ | ||
| public static QueryParameters fromString(String queryString) { | ||
| return new QueryParameters(parseQueryString(queryString)); |
There was a problem hiding this comment.
| return Collections.singletonList(paramAndValue); | ||
| } | ||
| String param = paramAndValue.substring(0, index); | ||
| String value = paramAndValue.substring(index + 1); |
There was a problem hiding this comment.
|
SonarQube analysis reported 2 issues
Watch the comments in this conversation to review them. |
#10521) A minor API behavior change: `Location:getQueryParameters` is unified with how `HttpServletRequest` works: For a query string `?foo&bar` a list containing `""` is returned for both `foo` and `bar` whereas the existing implementation returned empty lists.
#10521) A minor API behavior change: `Location:getQueryParameters` is unified with how `HttpServletRequest` works: For a query string `?foo&bar` a list containing `""` is returned for both `foo` and `bar` whereas the existing implementation returned empty lists.
#10521) A minor API behavior change: `Location:getQueryParameters` is unified with how `HttpServletRequest` works: For a query string `?foo&bar` a list containing `""` is returned for both `foo` and `bar` whereas the existing implementation returned empty lists.
#10521) A minor API behavior change: `Location:getQueryParameters` is unified with how `HttpServletRequest` works: For a query string `?foo&bar` a list containing `""` is returned for both `foo` and `bar` whereas the existing implementation returned empty lists.
#10521) A minor API behavior change: `Location:getQueryParameters` is unified with how `HttpServletRequest` works: For a query string `?foo&bar` a list containing `""` is returned for both `foo` and `bar` whereas the existing implementation returned empty lists.
#10521) A minor API behavior change: `Location:getQueryParameters` is unified with how `HttpServletRequest` works: For a query string `?foo&bar` a list containing `""` is returned for both `foo` and `bar` whereas the existing implementation returned empty lists.
#10521) A minor API behavior change: `Location:getQueryParameters` is unified with how `HttpServletRequest` works: For a query string `?foo&bar` a list containing `""` is returned for both `foo` and `bar` whereas the existing implementation returned empty lists.
|
This ticket/PR has been released with platform 14.7.0.rc1 and is also targeting the upcoming stable 14.7.0 version. |
This is a prerequisite for #10431 split out to a separate PR for easier review