Apply stricter encoding to URI query params

Fixes cloudfoundry#1034.

Author: nictas

cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/util/Operator.java

@@ -313,8 +313,8 @@ class OperatorContextAware {
     protected String transformRoot(Function<UriComponentsBuilder, UriComponentsBuilder> uriTransformer) {
         UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(this.context.getRoot());
         return uriTransformer.apply(uriComponentsBuilder)
-            .build()
             .encode()
+            .build()
             .toUriString();
     }
 

cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/util/UriQueryParameters.java

@@ -23,8 +23,14 @@
 
 public class UriQueryParameters {
 
-    public static void set(UriComponentsBuilder builder, Stream<UriQueryParameter> parameters) {
-        parameters.forEach(parameter -> builder.queryParam(parameter.getKey(), parameter.getValue()));
+    public static void set(UriComponentsBuilder builder, Stream<UriQueryParameter> uriQueryParameters) {
+        // Replace all literal values with URI variables to apply more strict encoding:
+        UriVariablesRegistry uriVariablesRegistry = new UriVariablesRegistry();
+        uriQueryParameters.forEach(uriQueryParameter -> {
+            UriVariable uriVariable = uriVariablesRegistry.register(uriQueryParameter.getValue());
+            builder.queryParam(uriQueryParameter.getKey(), uriVariable.getPlaceholder());
+        });
+        builder.uriVariables(uriVariablesRegistry.getUriVariablesMap());
     }
 
 }

cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/util/UriVariablesRegistry.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2013-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.reactor.util;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+public class UriVariablesRegistry {
+
+    private final List<UriVariable> uriVariables = new ArrayList<>();
+
+    public Map<String, Object> getUriVariablesMap() {
+        return uriVariables.stream().collect(Collectors.toMap(UriVariable::getKey, UriVariable::getValue));
+    }
+
+    public UriVariable register(Object value) {
+        UriVariable uriVariable = UriVariable.of(getNextUriVariableKey(), value);
+        uriVariables.add(uriVariable);
+        return uriVariable;
+    }
+
+    private String getNextUriVariableKey() {
+        return Integer.toString(uriVariables.size());
+    }
+
+}

cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/util/_UriVariable.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2013-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.reactor.util;
+
+import org.immutables.value.Value;
+
+@Value.Immutable
+public interface _UriVariable {
+
+    String PLACEHOLDER_PATTERN = "{%s}";
+
+    @Value.Parameter
+    String getKey();
+
+    @Value.Parameter
+    Object getValue();
+
+    @Value.Derived
+    default String getPlaceholder() {
+        return String.format(PLACEHOLDER_PATTERN, getKey());
+    }
+
+}

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/QueryExtractorTest.java

@@ -39,14 +39,15 @@ public void test() {
         Stream<UriQueryParameter> parameters = new QueryExtractor().extract(new StubQueryParamsSubClass());
         UriQueryParameters.set(builder, parameters);
 
-        MultiValueMap<String, String> queryParams = builder.build().encode().getQueryParams();
+        MultiValueMap<String, String> queryParams = builder.encode().build().getQueryParams();
 
-        assertThat(queryParams).hasSize(7);
+        assertThat(queryParams).hasSize(8);
         assertThat(queryParams.getFirst("test-single")).isEqualTo("test-value-1");
-        assertThat(queryParams.getFirst("test-collection")).isEqualTo("test-value-2,test-value-3");
+        assertThat(queryParams.getFirst("test-collection")).isEqualTo("test-value-2%2Ctest-value-3");
         assertThat(queryParams.getFirst("test-collection-custom-delimiter")).isEqualTo("test-value-4%20test-value-5");
         assertThat(queryParams.getFirst("test-subclass")).isEqualTo("test-value-6");
         assertThat(queryParams.getFirst("test-override")).isEqualTo("test-value-7");
+        assertThat(queryParams.getFirst("test-reserved-characters")).isEqualTo("%3A%2F%3F%23%5B%5D%40%21%24%26%27%28%29%2A%2B%2C%3B%3D");
     }
 
     public static abstract class StubQueryParams {
@@ -81,6 +82,11 @@ public final String getSingle() {
             return "test-value-1";
         }
 
+        @QueryParameter("test-reserved-characters")
+        public final String getReservedCharacters() {
+            return ":/?#[]@!$&'()*+,;=";
+        }
+
         @QueryParameter("test-override")
         abstract String getOverride();
 

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/FilterExtractorTest.java

@@ -43,20 +43,21 @@ public void test() {
         Stream<UriQueryParameter> parameters = new FilterExtractor().extract(new StubFilterParamsSubClass());
         UriQueryParameters.set(builder, parameters);
 
-        MultiValueMap<String, String> queryParams = builder.build().encode().getQueryParams();
+        MultiValueMap<String, String> queryParams = builder.encode().build().getQueryParams();
         List<String> q = queryParams.get("q");
 
         assertThat(q)
-            .hasSize(9)
-            .containsOnly("test-empty-value:",
+            .hasSize(10)
+            .containsOnly("test-empty-value%3A",
                 "test-greater-than%3Etest-value-1",
                 "test-greater-than-or-equal-to%3E%3Dtest-value-2",
-                "test-in%20IN%20test-value-3,test-value-4",
-                "test-is:test-value-5",
+                "test-in%20IN%20test-value-3%2Ctest-value-4",
+                "test-is%3Atest-value-5",
                 "test-less-than%3Ctest-value-6",
                 "test-less-than-or-equal-to%3C%3Dtest-value-7",
-                "test-default%20IN%20test-value-8,test-value-9",
-                "test-override:test-value-10");
+                "test-default%20IN%20test-value-8%2Ctest-value-9",
+                "test-override%3Atest-value-10",
+                "test-reserved-characters%3A%3A%2F%3F%23%5B%5D%40%21%24%26%27%28%29%2A%2B%2C%3B%3D");
     }
 
     public static abstract class StubFilterParams {
@@ -101,6 +102,11 @@ public final String getLessThanOrEqualTo() {
             return "test-value-7";
         }
 
+        @FilterParameter("test-reserved-characters")
+        public final String getReservedCharacters() {
+            return ":/?#[]@!$&'()*+,;=";
+        }
+
         @FilterParameter("test-null")
         public final String getNull() {
             return null;

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/applications/ReactorApplicationsV2Test.java

@@ -477,7 +477,7 @@ public void instances() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/apps?q=name:test-name&page=-1")
+                .method(GET).path("/apps?q=name%3Atest-name&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)
@@ -649,7 +649,7 @@ public void listRoutes() {
     public void listServiceBindings() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/apps/test-application-id/service_bindings?q=service_instance_guid:test-instance-id&page=-1")
+                .method(GET).path("/apps/test-application-id/service_bindings?q=service_instance_guid%3Atest-instance-id&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/buildpacks/ReactorBuildpacksTest.java

@@ -168,7 +168,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/buildpacks?q=name:test-name&page=-1")
+                .method(GET).path("/buildpacks?q=name%3Atest-name&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/events/ReactorEventsTest.java

@@ -85,7 +85,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/events?q=actee:test-actee&page=-1")
+                .method(GET).path("/events?q=actee%3Atest-actee&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/organizations/ReactorOrganizationsTest.java

@@ -776,7 +776,7 @@ public void getUserRoles() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/organizations?q=name:test-name&page=-1")
+                .method(GET).path("/organizations?q=name%3Atest-name&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/privatedomains/ReactorPrivateDomainsTest.java

@@ -180,7 +180,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/private_domains?q=name:test-name.com&page=-1")
+                .method(GET).path("/private_domains?q=name%3Atest-name.com&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/servicebindings/ReactorServiceBindingsV2Test.java

@@ -232,7 +232,7 @@ public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
                 .method(GET)
-                .path("/service_bindings?q=app_guid:dd44fd4f-5e20-4c52-b66d-7af6e201f01e&page=-1")
+                .path("/service_bindings?q=app_guid%3Add44fd4f-5e20-4c52-b66d-7af6e201f01e&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/servicebrokers/ReactorServiceBrokersTest.java

@@ -146,7 +146,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/service_brokers?q=name:test-name&page=-1")
+                .method(GET).path("/service_brokers?q=name%3Atest-name&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/serviceinstances/ReactorServiceInstancesTest.java

@@ -398,7 +398,7 @@ public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
                 .method(GET)
-                .path("/service_instances?q=name:test-name&page=-1")
+                .path("/service_instances?q=name%3Atest-name&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)
@@ -498,7 +498,7 @@ public void listServiceBindings() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
                 .method(GET)
-                .path("/service_instances/test-service-instance-id/service_bindings?q=app_guid:test-application-id&page=-1")
+                .path("/service_instances/test-service-instance-id/service_bindings?q=app_guid%3Atest-application-id&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/servicekeys/ReactorServiceKeysTest.java

@@ -143,7 +143,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/service_keys?q=name:test-name&page=-1")
+                .method(GET).path("/service_keys?q=name%3Atest-name&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/serviceplans/ReactorServicePlansTest.java

@@ -178,7 +178,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/service_plans?q=service_guid:test-service-id&page=-1")
+                .method(GET).path("/service_plans?q=service_guid%3Atest-service-id&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)
@@ -222,7 +222,7 @@ public void list() {
     public void listServiceInstances() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/service_plans/test-service-plan-id/service_instances?q=space_guid:test-space-id&page=-1")
+                .method(GET).path("/service_plans/test-service-plan-id/service_instances?q=space_guid%3Atest-space-id&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/serviceplanvisibilities/ReactorServicePlanVisibilitiesTest.java

@@ -181,7 +181,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/service_plan_visibilities?q=organization_guid:test-organization-id&page=-1")
+                .method(GET).path("/service_plan_visibilities?q=organization_guid%3Atest-organization-id&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/services/ReactorServicesTest.java

@@ -149,7 +149,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/services?q=label:test-label&page=-1")
+                .method(GET).path("/services?q=label%3Atest-label&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/spaces/ReactorSpacesTest.java

@@ -697,7 +697,7 @@ public void getSummary() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/spaces?q=name:test-name&page=-1")
+                .method(GET).path("/spaces?q=name%3Atest-name&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)
@@ -747,7 +747,7 @@ public void list() {
     public void listApplications() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/spaces/test-space-id/apps?q=name:test-name&page=-1")
+                .method(GET).path("/spaces/test-space-id/apps?q=name%3Atest-name&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v2/stacks/ReactorStacksTest.java

@@ -172,7 +172,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/stacks?q=name:test-name&page=-1")
+                .method(GET).path("/stacks?q=name%3Atest-name&page=-1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v3/FilterExtractorTest.java

@@ -39,13 +39,14 @@ public void test() {
         Stream<UriQueryParameter> parameters = new FilterExtractor().extract(new StubFilterParamsSubClass());
         UriQueryParameters.set(builder, parameters);
 
-        MultiValueMap<String, String> queryParams = builder.build().encode().getQueryParams();
+        MultiValueMap<String, String> queryParams = builder.encode().build().getQueryParams();
 
-        assertThat(queryParams).hasSize(5);
+        assertThat(queryParams).hasSize(6);
         assertThat(queryParams.getFirst("test-single")).isEqualTo("test-value-1");
-        assertThat(queryParams.getFirst("test-collection")).isEqualTo("test-value-2,test-value-3");
+        assertThat(queryParams.getFirst("test-collection")).isEqualTo("test-value-2%2Ctest-value-3");
         assertThat(queryParams.getFirst("test-subclass")).isEqualTo("test-value-4");
         assertThat(queryParams.getFirst("test-override")).isEqualTo("test-value-7");
+        assertThat(queryParams.getFirst("test-reserved-characters")).isEqualTo("%3A%2F%3F%23%5B%5D%40%21%24%26%27%28%29%2A%2B%2C%3B%3D");
     }
 
     public static abstract class StubFilterParams {
@@ -75,6 +76,11 @@ public final String getSingle() {
             return "test-value-1";
         }
 
+        @FilterParameter("test-reserved-characters")
+        public final String getReservedCharacters() {
+            return ":/?#[]@!$&'()*+,;=";
+        }
+
         @FilterParameter("test-override")
         abstract String getOverride();
 

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v3/servicebindings/ReactorServiceBindingsV3Test.java

@@ -166,7 +166,7 @@ public void get() {
     public void list() {
         mockRequest(InteractionContext.builder()
             .request(TestRequest.builder()
-                .method(GET).path("/service_bindings?app_guids=test-application-id&order_by=+created_at&page=1")
+                .method(GET).path("/service_bindings?app_guids=test-application-id&order_by=%2Bcreated_at&page=1")
                 .build())
             .response(TestResponse.builder()
                 .status(OK)