Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nano does not escape partition ID's #283

Closed
swansontec opened this issue Nov 18, 2021 · 0 comments
Closed

Nano does not escape partition ID's #283

swansontec opened this issue Nov 18, 2021 · 0 comments

Comments

@swansontec
Copy link
Contributor

Expected Behavior

When a partition ID includes special characters, such as '/' or '+', Nano should escape those using encodeURIComponent, just as it does already for document ID's, design document names, database names, and so forth.

Current Behavior

Nano just concatenates the partition ID into the URI without escaping, which is dangerous:

couchdb-nano/lib/nano.js

Line 1050 in 2d4bd71

path: '_partition/' + partitionKey + '/_all_docs',

Possible Solution

Incorporate encodeURIComponent into the following methods:

  • partitionInfo
  • partitionedList
  • partitionedFind
  • partitionedSearch
  • partitionedView
  • partitionedListAsStream
  • partitionedFindAsStream
  • partitionedSearchAsStream
  • partitionedViewAsStream

Steps to Reproduce (for bugs)

Any partitioned call involving special characters, such as a base64-encoded string, will randomly fail if the encoding produces special characters:

myDb.partitionedList(base64.encode(...))

Context

We are temporarily working around this by doing the encodeURIcomponent in our app, before passing the partition ID to Nano. This allows our queries to succeed for now, since we convert characters like '+' to '%2b' before passing to Nano.

This implies that fixing this bug would be a breaking change, since presumably other people have run into the same issue and have adopted the same workaround. If the client app calls encodeURIcomponent, and then Nano itself calls encodeURIcomponent again, a character like '+' would become '%2b' in the client code, and then '%252b' in Nano, which is wrong.

So, while Nano should address this eventually, it may be necessary to wait for a v10 breaking release.

Your Environment

  • Version used: 9.0.4
swansontec added a commit to swansontec/couchdb-nano that referenced this issue Nov 18, 2021
@swansontec
Properly escape input in the partitioned methods
ac7b770 
This is a fix for apache#283.

As discussed in that issue, this is probably a breaking change, and may need to wait for the next major version bump.

All the other API's in Nano escape their path components (database names, design documents, views, etc.), but for some reason these partitioned ones do not.
swansontec added a commit to swansontec/couchdb-nano that referenced this issue Nov 18, 2021
@swansontec
Properly escape partition ID's
f049c12 
This fixes issue apache#283.

However, this is a breaking change, for reasons descibed in that bug report.
@swansontec swansontec mentioned this issue Nov 18, 2021
Merged
3 tasks
swansontec added a commit to swansontec/couchdb-nano that referenced this issue Nov 18, 2021
@swansontec
Properly escape partition ID's (fixes apache#283)
3108182 
This is a breaking change, for reasons descibed in that bug report.
@glynnbird glynnbird mentioned this issue Mar 22, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@swansontec