cloudinary_gem icon indicating copy to clipboard operation
cloudinary_gem copied to clipboard

Published 20 hours ago verified publisher icon cloudinary

Transformation params not properly URL escaped

Open stirkac opened this issue 10 months ago • 3 comments

Bug report for Cloudinary Ruby SDK

Before proceeding, please update to latest version and test if the issue persists - DONE

Describe the bug in a sentence or two.

If the parameters passed to transformation contain a double quote, they are not properly escaped when formulating cloudinary URL, causing invalid URL to be generated

Issue Type (Can be multiple)

  • [ ] Build - Cannot install or import the SDK
  • [ ] Performance - Performance issues
  • [x] Behaviour - Functions are not working as expected (such as generate URL)
  • [ ] Documentation - Inconsistency between the docs and behaviour
  • [ ] Other (Specify)

Steps to reproduce

Run Cloudinary::Utils.cloudinary_url(VIDEO_ID_HERE,{ resource_type: "video", transformation: [{color: '"abc', overlay: { font_family: "Times", font_size: 12, font_weight: "bold", text: "..." }}])

note the '"abc' for the color

Error screenshots or Stack Trace (if applicable)

Screenshot 2024-03-28 at 19 29 07

Operating System

  • [ ] Linux
  • [ ] Windows
  • [x] macOS
  • [ ] All

Environment and Libraries (fill in the version numbers)

  • Cloudinary Ruby SDK version - cloudinary (1.29.0)
  • Ruby Version - ruby 3.3.0
  • Rails Version - Rails 7.1.3.2

stirkac avatar Mar 29 '24 08:03 stirkac

Hi @stirkac ,

Thank you for reaching out.

The example you have provided won't work and you will get: X-Cld-Error: Invalid color name "abc Whether we encode it or not - it will not work.

Could you share your use case? If it's possible, can you provide some other parameter that works if you encode it and we are not encoding?

Best Regards, Wissam

wissam-khalili avatar Mar 31 '24 10:03 wissam-khalili

Sorry, I made an assumption, but the actual value can be seen from the screenshot that is added: "#e6e6e640 It was an accidental discovery, by pasting the value with the quotation mark. It's hard for me to share the exact code because transformation hash is dynamically constructed, but if it helps, here's the replicated use case with everything in plain sight:

{"resource_type":"video","sign_url":true,"secure":true,"delivery_type":"authenticated","transformation":[{"color":"\"#e6e6e640","overlay":{"font_family":"Times","font_size":20,"font_weight":"bold","text":"Order #1419 for seb as - [email protected] on Thu, Mar 28, 24"}},{"effect":"anti_removal:90","flags":"layer_apply","gravity":"center"}]}

and the resulting url: https://res.cloudinary.com/dymk9xwef/video/upload/s--DIhny0fj--/co_\"#e6e6e640,l_text:Times_20_bold:Order%20%231419%20for%20seb%20as%20-%20sebastjan%40shopcircle.co%20on%20Thu%252C%20Mar%2028%252C%2024/e_anti_removal:90,fl_layer_apply,g_center/dance-2.mp4

stirkac avatar Apr 01 '24 06:04 stirkac

Hi @stirkac,

We do encode color, if a valid color is passed, for example, #e6e6e640 so in the resulting url it will be encoded to: co_rgb:e6e6e640. We do not sanitize input (strip spaces, quotes, etc). I hope this is helpful. Regards, Wissam

wissam-khalili avatar Apr 01 '24 08:04 wissam-khalili