Merge pull request #507 from rohanpm/uri-decoding

crungehottman · web-flow · commit ebec33dd1f55 · 2023-10-02T09:46:44.000-04:00
Implement missing URI decoding step [RHELDST-20564]
diff --git a/exodus_lambda/functions/origin_request.py b/exodus_lambda/functions/origin_request.py
@@ -3,6 +3,7 @@
 import os
 import time
 import urllib
+import urllib.parse
 from datetime import datetime, timedelta, timezone
 
 import boto3
@@ -354,6 +355,8 @@ def handler(self, event, context):
             extra={"request": request},
         )
 
+        request["uri"] = urllib.parse.unquote(request["uri"])
+
         if request["uri"].startswith("/_/cookie/"):
             return self.handle_cookie_request(event)
 
diff --git a/tests/functions/test_origin_request.py b/tests/functions/test_origin_request.py
@@ -1,6 +1,7 @@
 import json
 import logging
 import urllib
+import urllib.parse
 
 import mock
 import pytest
@@ -63,6 +64,26 @@
             "/content/dist/rhel/server/7/7.9/file.ext",
             "text/plain",
         ),
+        (
+            # encoded URI should be decoded
+            "/content/dist/rhel/rhui/server/7/7Server/some%5Efile",
+            "/content/dist/rhel/server/7/7.9/some^file",
+            "text/plain",
+        ),
+        (
+            # but it is also OK to not encode that character
+            "/content/dist/rhel/rhui/server/7/7Server/some^file",
+            "/content/dist/rhel/server/7/7.9/some^file",
+            "text/plain",
+        ),
+        (
+            # this tricky case is trying to ensure that, even for "special"
+            # paths like /listing, if the client encodes parts of the URI it
+            # still all works normally.
+            "/content/dist/rhel/rhui/server/7/li%73ting",
+            "/content/dist/rhel/rhui/server/7/listing",
+            "text/plain",
+        ),
     ],
     ids=[
         "/origin/rpm/",
@@ -74,6 +95,9 @@
         "no alias keywords",
         "releasever alias",
         "layered rhui, releasever alias",
+        "encoded URI",
+        "reserved char no encoding",
+        "encoded listing",
     ],
 )
 @mock.patch("boto3.client")
@@ -110,7 +134,9 @@ def test_origin_request(
 
     assert "Incoming request value for origin_request" in caplog.text
 
-    if req_uri.endswith("/listing"):
+    req_uri_decoded = urllib.parse.unquote(req_uri)
+
+    if req_uri_decoded.endswith("/listing"):
         assert "Handling listing request" in caplog.text
         assert "Generated listing request response" in caplog.text
         assert request["body"]
@@ -123,7 +149,7 @@ def test_origin_request(
             ),
             "headers": {
                 "exodus-original-uri": [
-                    {"key": "exodus-original-uri", "value": req_uri}
+                    {"key": "exodus-original-uri", "value": req_uri_decoded}
                 ]
             },
         }
