[
https://issues.apache.org/jira/browse/CAMEL-23812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robin Mattes updated CAMEL-23812:
---------------------------------
Description:
{*}Problem{*}:
The Camel Milo client component previously embedded authentication credentials
directly in the endpoint URI using the format user:password@host.
To prevent Milo from receiving credentials (which it doesn't handle), the
component used string manipulation with `discoveryUri.replaceFirst(user + "@",
"")` to strip credentials from the URL before connection. This caused issues
because the `replaceFirst()` function uses regex patterns that fail with regex
special characters like "$.*", and passwords containing characters like "%"
cause issues with `java.net.URLDecoder.decode()` due to percent-encoding in
URLs.
This approach has limitations: it fails when credentials contain special
characters commonly found in auto-generated passwords, such as:
@ (breaks URI parsing)
?, & (URI query parameter delimiters)
/, # (URI structure delimiters)
$, % (encoding/variable expansion)
For example, a password like pass@$?&/#% would cause the discovery URI
reconstruction to fail or produce incorrect results.
{*}Solution{*}:
Introduce explicit endpoint parameters for username and password that bypass
URI embedding entirely, eliminating the string manipulation and supporting
almost any character in credentials. (% is still invalid, except if you use the
URL-encoding %25 )
The old way of embedding credentials in the URI still works, but using the
explicit username and password parameters is preferred as it will checked first
in the code.
Example:
[https://...&username=RAW(my?user@name)&password=RAW(p@ss/w&rd|https://...&username=raw(my/?user@name)&password=RAW(p@ss/w&rd])
This is my first contribution so i'm more than happy to make required changes
to my code if needed.
was:
{*}Problem{*}:
The Camel Milo client component previously embedded authentication credentials
directly in the endpoint URI using the format user:password@host.
To prevent Milo from receiving credentials (which it doesn't handle), the
component used string manipulation with `discoveryUri.replaceFirst(user + "@",
"")` to strip credentials from the URL before connection. This caused issues
because the `replaceFirst()` function uses regex patterns that fail with regex
special characters like "$.*", and passwords containing characters like "%"
cause issues with `java.net.URLDecoder.decode()` due to percent-encoding in
URLs.
This approach has limitations: it fails when credentials contain special
characters commonly found in auto-generated passwords, such as:
@ (breaks URI parsing)
?, & (URI query parameter delimiters)
/, # (URI structure delimiters)
$, % (encoding/variable expansion)
For example, a password like pass@$?&/#% would cause the discovery URI
reconstruction to fail or produce incorrect results.
{*}Solution{*}:
Introduce explicit endpoint parameters for username and password that bypass
URI embedding entirely, eliminating the string manipulation and supporting
almost any character in credentials. (% is still invalid, except if you use the
URL-encoding %25 )
The old way of embedding credentials in the URI still works, but using the
explicit username and password parameters is preferred as it will checked first
in the code.
Example: https://...&username=RAW(my?user@name)&password=RAW(p@ss/w&rd)
This is my first contribution so i'm more than happy to make required changes
to my code if needed.
My pull request will come soon.
> Add support for explicit username and password parameters in Milo client to
> safely handle credentials with special characters
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: CAMEL-23812
> URL: https://issues.apache.org/jira/browse/CAMEL-23812
> Project: Camel
> Issue Type: Improvement
> Components: camel-milo
> Reporter: Robin Mattes
> Priority: Major
>
> {*}Problem{*}:
> The Camel Milo client component previously embedded authentication
> credentials directly in the endpoint URI using the format user:password@host.
> To prevent Milo from receiving credentials (which it doesn't handle), the
> component used string manipulation with `discoveryUri.replaceFirst(user +
> "@", "")` to strip credentials from the URL before connection. This caused
> issues because the `replaceFirst()` function uses regex patterns that fail
> with regex special characters like "$.*", and passwords containing characters
> like "%" cause issues with `java.net.URLDecoder.decode()` due to
> percent-encoding in URLs.
> This approach has limitations: it fails when credentials contain special
> characters commonly found in auto-generated passwords, such as:
> @ (breaks URI parsing)
> ?, & (URI query parameter delimiters)
> /, # (URI structure delimiters)
> $, % (encoding/variable expansion)
> For example, a password like pass@$?&/#% would cause the discovery URI
> reconstruction to fail or produce incorrect results.
> {*}Solution{*}:
> Introduce explicit endpoint parameters for username and password that bypass
> URI embedding entirely, eliminating the string manipulation and supporting
> almost any character in credentials. (% is still invalid, except if you use
> the URL-encoding %25 )
> The old way of embedding credentials in the URI still works, but using the
> explicit username and password parameters is preferred as it will checked
> first in the code.
> Example:
> [https://...&username=RAW(my?user@name)&password=RAW(p@ss/w&rd|https://...&username=raw(my/?user@name)&password=RAW(p@ss/w&rd])
> This is my first contribution so i'm more than happy to make required changes
> to my code if needed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
