Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double-URL encoded headers #147

Open
elgohr opened this issue Sep 20, 2022 · 2 comments · May be fixed by #149
Open

Double-URL encoded headers #147

elgohr opened this issue Sep 20, 2022 · 2 comments · May be fixed by #149

Comments

@elgohr
Copy link

elgohr commented Sep 20, 2022
edited
Loading

Scenario:
Using github.com/awslabs/aws-lambda-go-api-proxy within github.com/aws/aws-lambda-go/lambda behind an multi_value_headers-enabled ALB

Issue:
URL-Query Parameters can be double-url encoded.
For example a /?from=2022-09-20T04:11:02 would be url-encoded by the browser to /?from=2022-09-20T04%3A11%3A02 (as %3A is the url-encoding of :).
Because of https://github.com/awslabs/aws-lambda-go-api-proxy/blob/master/core/request.go#L164 this value is encoded again before it reaches the handler. Instead of from=2022-09-20T04%3A11%3A02 a double-url encoded value is passed to the handler: from=2022-09-20T04%3A11%253A02 (as %25 is the url-encoding of %).

Suggested solution:
Using url.QueryUnescape before encoding, to see whether the query parameter is already encoded (this would result in err != nil).
elgohr added a commit to elgohr/aws-lambda-go-api-proxy that referenced this issue Oct 8, 2022
@elgohr
Fixes awslabs#147
ddb2d7e
@elgohr elgohr linked a pull request Oct 8, 2022 that will close this issue
Open
@elgohr
Copy link
Author

elgohr commented Sep 25, 2023

Happy anniversary! 🎉

elgohr added a commit to elgohr/aws-lambda-go-api-proxy that referenced this issue Sep 26, 2023
@elgohr
Fixes awslabs#147
f1bc1b4
@choonkeat choonkeat mentioned this issue Jul 10, 2024
Open
@choonkeat
Copy link

Using url.QueryUnescape before encoding, to see whether the query parameter is already encoded (this would result in err != nil).

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html

If you enable multi-value headers, the load balancer uses both cookies sent by the client and sends you an event that includes headers using multiValueHeaders. For example:

"multiValueHeaders": {
    "cookie": ["name1=value1", "name2=value2"],
    ...
},

If the query parameters are URL-encoded, the load balancer does not decode them. You must decode them in your Lambda function.

So there's no need to try to url.QueryUnescape them

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@choonkeat @elgohr