AlinsRan opened a new pull request, #13586:
URL: https://github.com/apache/apisix/pull/13586

   ### Description
   
   With `body_base64 = true` and `body` set to a **secret reference** 
(`$env://...`, `$secret://...`), the config-time base64 validation is 
**skipped** because the value is unknown until runtime. If the resolved secret 
is not valid base64, `ngx.decode_base64` returned `nil` and the response body 
was **silently set to empty** — no log, hard to diagnose.
   
   In `body_filter`, when base64 decoding fails, this now logs an error and 
**leaves the upstream response body unchanged** instead of emptying it, 
mirroring the existing failure handling in the `filters` path of the same 
plugin. The body is only overwritten on a successful decode.
   
   ### Tests
   
   `t/secret/central-secret-refs.t` TEST 13/14: a route configured with `body = 
$env://TEST_NOT_BASE64` (resolves to a non-base64 value) and `body_base64 = 
true`; the request returns the unchanged upstream body and an error is logged.
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [x] I have updated the documentation to reflect this change (N/A — bugfix, 
no config/behavior doc change)
   - [x] I have verified that this change is backward compatible


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to