Kong: Kong Service Resource URI Validation Error?

Created on 16 Jul 2020 · 5Comments · Source: Kong/kong

Summary

Seems Kong throws a schema violation error on URI's with a $ in them? Is this not a valid URL?:

http://my-api.company.com/R4/Bundle/$consultation-submit

Service Resource:

{
  "host": "my-api.company.com",
  "created_at": 1593734424,
  "connect_timeout": 2000,
  "id": "7be474e8-02c3-4787-9450-09a43540649c",
  "protocol": "http",
  "name": "optum.ocm.advisor.stage.optum.ocm.telemedService.dmz.v1",
  "read_timeout": 9000,
  "port": 80,
  "path": "/R4/Bundle",   ---> can't add the /$consultation-submit here
  "updated_at": 1593734424,
  "retries": 0,
  "write_timeout": 9000,
  "tags": null,
  "client_certificate": null,
  "extras": {}
}

Kong throws a schema violation error:

'/R4/Bundle/$consultation-submit' (characters outside of the reserved list of RFC 3986 found))

Steps To Reproduce

Try to create a Kong Service resource with $ in the URI

Additional Details & Logs

Kong version 2.0.5

tasbug

Source

jeremyjpj0916

All 5 comments

Thank you for reporting this. Let’s see what is proper solution.

bungle on 18 Jul 2020

👍1

I think this validation must be a newer thing w Kong too because I am positive we have a few proxies on Kong from prior versions that were made with a dollar sign present in uri’s for some kind of FIHR api format standard. From what I can tell $ is not a character that needs uri encoding or anything special. Thanks!

jeremyjpj0916 on 18 Jul 2020

So, after a quick investigation in RFC 3986 (and its updates and erratas), this is indeed a bug, for $ is valid in the path segment of URIs. These are the relevant grammar rules (the only parts of RFCs I really trust because they're written in unambiguous language :laughing: ):

      reserved    = gen-delims / sub-delims

      gen-delims  = ":" / "/" / "?" / "#" / "[" / "]" / "@"

      sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "="

      path          = path-abempty    ; begins with "/" or is empty
                    / path-absolute   ; begins with "/" but not "//"
                    / path-noscheme   ; begins with a non-colon segment
                    / path-rootless   ; begins with a segment
                    / path-empty      ; zero characters

      path-abempty  = *( "/" segment )
      path-absolute = "/" [ segment-nz *( "/" segment ) ]
      path-noscheme = segment-nz-nc *( "/" segment )
      path-rootless = segment-nz *( "/" segment )
      path-empty    = 0<pchar>

      segment       = *pchar
      segment-nz    = 1*pchar
      segment-nz-nc = 1*( unreserved / pct-encoded / sub-delims / "@" )
                    ; non-zero-length segment without any colon ":"

      pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

Indeed "$" is part of reserved as part of sub-delims, but the path rule includes segment and segment-nz, which include pchar, which includes sub-delims explicitly.

Long story short, all characters from the sub-delims list above need to be added as valid to our path validator!

hishamhm on 24 Jul 2020

👍1

@hishamhm good to know that the FIHR api standard that some internal team here is implementing does not go against HTTPS URI's allowed chars 😄 . Would not be the first time I have seen folks do bad things though so I thought to check in here. Thanks for looking into it.

jeremyjpj0916 on 24 Jul 2020

@hishamhm would this be a 2.1.1 kinda fix as well? I don't think easing validation limitations would be breaking so it could come on a minor patch (along with that admin api bug we spotted)?

jeremyjpj0916 on 29 Jul 2020

Was this page helpful?

0 / 5 - 0 ratings