Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin-API: URL Parameters must be unescaped #14034

Closed
weeco opened this issue Oct 9, 2023 · 3 comments · Fixed by #15253
Closed

Admin-API: URL Parameters must be unescaped #14034

weeco opened this issue Oct 9, 2023 · 3 comments · Fixed by #15253
Assignees
@oleiman
Labels
area/admin-api kind/bug Something isn't working

Comments

@weeco
Copy link

weeco commented Oct 9, 2023
edited
Loading

Version & Environment

Redpanda version: (use rpk version): v23.2.6

What went wrong?

Deleting a Redpanda user that uses special characters that need to be URL escaped is not possible, because the admin API does not unescape these parameters. Creating is possible because the username there is part of the request body.

What should have happened instead?

Redpanda should unescape URL parameters on all admin api paths.

How to reproduce the issue?

  1. Create a user like "hello world"
  2. Issue a DELETE request to /v1/security/users/hello%20world
  3. List users (the user "hello world" should still be there)

image

Additional information

Please attach any relevant logs, backtraces, or metric charts.
@weeco weeco added kind/bug Something isn't working area/admin-api labels Oct 9, 2023
@michael-redpanda
Copy link
Contributor

  1. https://github.com/redpanda-data/redpanda/blob/cba5d0794946755beb4a8bce419bc8b84a1318f2/src/v/redpanda/admin_server.cc#L1935C4-L1935C4 needs to be modified to correctly parse the HTTP escape characters to get the "true" value. Seastar has a utility for this
  2. Create user path needs to check the kafka regex to ensure created users comply with this regex
  3. Delete user path should not check this value and permit the special characters so operators can delete credentials that fall outside this regex

@oleiman
Copy link
Member

oleiman commented Dec 1, 2023

kafka regex

@michael-redpanda Is this specified somewhere? I've not found anything explicit in kafka (yet). Am I missing something obvious?

@michael-redpanda
Copy link
Contributor

kafka regex

@michael-redpanda Is this specified somewhere? I've not found anything explicit in kafka (yet). Am I missing something obvious?

redpanda/src/v/security/scram_algorithm.cc

Lines 41 to 43 in 53f12fe

// 1*(value-safe-char / "=2C" / "=3D")
// NOLINTNEXTLINE
#define SASLNAME "(?:" VALUE_SAFE_CHAR "|=2C|=3D)+"

@oleiman oleiman mentioned this issue Dec 1, 2023
Merged
7 tasks
@weeco weeco mentioned this issue Feb 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oleiman oleiman

Labels
area/admin-api kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validation and url_decode for SCRAM usernames oleiman/redpanda
3 participants
@oleiman @weeco @michael-redpanda