Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-12018

APIcast double-encodes special characters in app_id and app_key parameters

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Gateway
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started

      Description

      APIcast is double-encoding special characters when forwarding authentication requests to the backend (apisonator). This causes authentication failures when applications use URL-encoded special characters in their app_id or app_key.

      Environment

      • Component: APIcast
      • Namespace: 3scale-psql
      • Pod: apicast-staging-7d85854d78-5d7xw

      Steps to Reproduce

      1. Create an application with special characters in the app_id (e.g., 576asdeds95-{}119)
      2. Make an authentication request using curl with URL-encoded special characters:

      curl "https://[apicast-url]/?app_id=576asdeds95-%7B%7D119&app_key=xxx"

      3. Observe authentication failure (403 Forbidden)

      Actual Behavior

      When APIcast receives a request with URL-encoded special characters (e.g., %7B%7D for ), it encodes them again before forwarding to the backend, resulting in double-encoding: %257B%257D (% is encoded to %25{}}}).

      Backend listener logs show:

      GET /transactions/authrep.xml?...&app_id=576asdeds95-%257B%257D119&app_key=xxx " 404

      The backend returns 404 because it's looking for an application with app_id 576asdeds95-%257B%257D119 instead of 576asdeds95-{}119.

      Expected Behavior

      APIcast should preserve the encoding of URL parameters and not double-encode them. If the client sends app_id=576asdeds95-%7B%7D119, APIcast should forward it to the backend as app_id=576asdeds95-%7B%7D119 (or decode and re-encode it correctly).

      Workaround

      Send the special characters unencoded in the request:

      curl --globoff "https://[apicast-url]/?app_id=576asdeds95-{}119&app_key=xxx"

      Note: The --globoff flag is required with curl to prevent it from interpreting {} as URL globbing patterns.

      Impact

      This affects applications that:

      • Use special characters in app_id or app_key (as supported by PR #3711)
      • Use clients that automatically URL-encode parameters
      • Cannot use the --globoff workaround (non-curl clients)

      Related Issues

      • THREESCALE-9033 - Some special characters in Application Keys are not supported (this enabled {} and other special characters)
      • PR #3711 - Add support for slash for application IDs and keys

              Unassigned Unassigned
              rh-ee-jlledo Joan Lledo
              Dominik Hlavac Duran Dominik Hlavac Duran
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: