URL decoding fails silently when the URL contains illegal characters

[devpikachu]

Describe the bug

Whilst working with Quinoa + SvelteKit, I've discovered that certain calls would fail with an empty 400 response and nothing being logged in the CLI output (see quarkiverse/quarkus-quinoa#591).

Old text

I managed to track it down to the uriValid method of the VetxHttpRecorder.java file:

quarkus/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/VertxHttpRecorder.java

Line 151 in 7cf3e4e

return false;

Unfortunately, RFC 3986's Section 2.2 defines [ and ] as being reserved characters, thus leaving it up to the decoder implementation to decide how to handle them. In practice, this means that whilst NodeJS doesn't attribute special meaning to them, Java seems to do.

This also means that using Quinoa, and perhaps other extensions, which directly or indirectly rely on these characters being present in the URL is not possible.

This shouldn't pose an issue in production, where such URLs are not used by SvelteKit, but it does impact development-time DX. This can be worked-around by disabling URI validation by setting the vertx.disableURIValidation to true in development environments, though this is less than ideal.

Furthermore, it might be useful to print / throw the exception when a URISyntaxException occurs, rather than failing silently.

This troubleshooting was made more difficult due to the URL validity check failing silently, rather than throwing to output or logging some form of error message.

EDIT 18/12: Updated description to better match the scope of this issue, as the ability to disable URL validation in development is handled as part of #37804

Expected behavior

A URISyntaxException is thrown in log output

[ and ] are accepted as part of the URL, though this might require changing how URI validation is done.

Actual behavior

The call fails silently with a 400 response

How to Reproduce?

1. Attempt to access a route that has [ and/or ] in the URL

Output of uname -a or ver

Linux workstation-lnx 6.6.4-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Dec 3 18:13:11 UTC 2023 x86_64 GNU/Linux

Output of java -version

openjdk version "21.0.1" 2023-10-17 LTS
OpenJDK Runtime Environment Temurin-21.0.1+12 (build 21.0.1+12-LTS)
OpenJDK 64-Bit Server VM Temurin-21.0.1+12 (build 21.0.1+12-LTS, mixed mode, sharing)

Quarkus version or git rev

3.6.3

Build tool (ie. output of mvnw --version or gradlew --version)

------------------------------------------------------------ Gradle 8.5 ------------------------------------------------------------

Build time: 2023-11-29 14:08:57 UTC
Revision: 28aca86a7180baa17117e0e5ba01d8ea9feca598
Kotlin: 1.9.20
Groovy: 3.0.17
Ant: Apache Ant(TM) version 1.10.13 compiled on January 4 2023
JVM: 21.0.1 (Eclipse Adoptium 21.0.1+12-LTS)
OS: Linux 6.6.4-200.fc39.x86_64 amd64

Additional information

No response

[quarkus-bot]

/cc @evanchooly (kotlin), @geoand (kotlin)

[cescoffier]

Can you provide a standalone reproducer (without quinoa), so we can have a unit test.

[geoand]

Closing for a lack of a reproducer