twilio-java icon indicating copy to clipboard operation
twilio-java copied to clipboard
verified publisher icon twilio

RequestValidator.validate incorrectly decodes query string when removing port

Open alexcchan opened this issue 5 years ago • 4 comments

Issue Summary

When removing the port RequestValidator.validate incorrectly decodes the path, query, and fragment.

e.g.

https://someurl.com:443/somepath?param1=client%3AAnonymous

is converted to

https://someurl.com/somepath?param1=client:Anonymous

https://github.com/twilio/twilio-java/blob/main/src/main/java/com/twilio/security/RequestValidator.java#L145-L147

A suggestion is to consider using getRawPath, getRawQuery, and getRawFragment instead.

Steps to Reproduce

  1. The snippet below demonstrates the issue. The validate output should be the same for both URLs.

Code Snippet

import java.net.URI;
import java.util.HashMap;
import com.twilio.security.RequestValidator;
...
        String url1 = "https://someurl.com/somepath?param1=client%3AAnonymous";
        String url2 = "https://someurl.com:443/somepath?param1=client%3AAnonymous";
        String signature = "PM+bjB+ITJ9a3LIYStKWOTMZMlU=";
        RequestValidator r= new RequestValidator("1234567890");
        System.out.println("valid without port?: " + r.validate(url1, new HashMap<>(), signature));
        System.out.println("valid with port?: " + r.validate(url2, new HashMap<>(), signature));

Exception/Log

valid without port?: true
valid with port?: false

Technical details:

  • twilio-java version: 7.55.3 (latest as of submission)
  • java version: 1.8.0_161

alexcchan avatar Oct 22 '20 17:10 alexcchan

This issue has been added to our internal backlog to be prioritized. Pull requests and +1s on the issue summary will help it move up the backlog.

eshanholtz avatar Oct 24 '20 00:10 eshanholtz