From 5ded105c09a7caff90d1e73f47d0ff314fd3f5d3 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <d.kirillov@yadro.com>
Date: Thu, 29 Feb 2024 12:50:56 +0300
Subject: [PATCH] [#107] Check query unescape errors

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
---
 internal/handler/download.go | 12 ++++++++++--
 internal/handler/handler.go  | 25 +++++++++++++++++++------
 internal/logs/logs.go        |  3 +--
 3 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/internal/handler/download.go b/internal/handler/download.go
index 06a247a..a7aee64 100644
--- a/internal/handler/download.go
+++ b/internal/handler/download.go
@@ -82,8 +82,16 @@ func (h *Handler) addObjectToZip(zw *zip.Writer, obj *object.Object) (io.Writer,
 // DownloadZipped handles zip by prefix requests.
 func (h *Handler) DownloadZipped(c *fasthttp.RequestCtx) {
 	scid, _ := c.UserValue("cid").(string)
-	prefix, _ := url.QueryUnescape(c.UserValue("prefix").(string))
-	log := h.log.With(zap.String("cid", scid), zap.String("prefix", prefix))
+	prefix, _ := c.UserValue("prefix").(string)
+
+	prefix, err := url.QueryUnescape(prefix)
+	if err != nil {
+		h.log.Error(logs.FailedToUnescapeQuery, zap.String("cid", scid), zap.String("prefix", prefix), zap.Uint64("id", c.ID()), zap.Error(err))
+		response.Error(c, "could not unescape prefix: "+err.Error(), fasthttp.StatusBadRequest)
+		return
+	}
+
+	log := h.log.With(zap.String("cid", scid), zap.String("prefix", prefix), zap.Uint64("id", c.ID()))
 
 	ctx := utils.GetContextFromRequest(c)
 
diff --git a/internal/handler/handler.go b/internal/handler/handler.go
index 757b5be..f88dff1 100644
--- a/internal/handler/handler.go
+++ b/internal/handler/handler.go
@@ -131,12 +131,25 @@ func (h *Handler) byObjectName(req *fasthttp.RequestCtx, f func(context.Context,
 
 // byAttribute is a wrapper similar to byAddress.
 func (h *Handler) byAttribute(c *fasthttp.RequestCtx, f func(context.Context, request, oid.Address)) {
-	var (
-		scid, _ = c.UserValue("cid").(string)
-		key, _  = url.QueryUnescape(c.UserValue("attr_key").(string))
-		val, _  = url.QueryUnescape(c.UserValue("attr_val").(string))
-		log     = h.log.With(zap.String("cid", scid), zap.String("attr_key", key), zap.String("attr_val", val))
-	)
+	scid, _ := c.UserValue("cid").(string)
+	key, _ := c.UserValue("attr_key").(string)
+	val, _ := c.UserValue("attr_val").(string)
+
+	key, err := url.QueryUnescape(key)
+	if err != nil {
+		h.log.Error(logs.FailedToUnescapeQuery, zap.String("cid", scid), zap.String("attr_key", key), zap.Uint64("id", c.ID()), zap.Error(err))
+		response.Error(c, "could not unescape attr_key: "+err.Error(), fasthttp.StatusBadRequest)
+		return
+	}
+
+	val, err = url.QueryUnescape(val)
+	if err != nil {
+		h.log.Error(logs.FailedToUnescapeQuery, zap.String("cid", scid), zap.String("attr_val", val), zap.Uint64("id", c.ID()), zap.Error(err))
+		response.Error(c, "could not unescape attr_val: "+err.Error(), fasthttp.StatusBadRequest)
+		return
+	}
+
+	log := h.log.With(zap.String("cid", scid), zap.String("attr_key", key), zap.String("attr_val", val))
 
 	ctx := utils.GetContextFromRequest(c)
 
diff --git a/internal/logs/logs.go b/internal/logs/logs.go
index c75e91f..84954c3 100644
--- a/internal/logs/logs.go
+++ b/internal/logs/logs.go
@@ -4,7 +4,6 @@ const (
 	CouldntParseCreationDate                                              = "couldn't parse creation date"                                                           // Info in ../../downloader/*
 	CouldNotDetectContentTypeFromPayload                                  = "could not detect Content-Type from payload"                                             // Error in ../../downloader/download.go
 	CouldNotReceiveObject                                                 = "could not receive object"                                                               // Error in ../../downloader/download.go
-	WrongContainerID                                                      = "wrong container id"                                                                     // Error in ../../downloader/download.go and uploader/upload.go
 	WrongObjectID                                                         = "wrong object id"                                                                        // Error in ../../downloader/download.go
 	GetLatestObjectVersion                                                = "get latest object version"                                                              // Error in ../../downloader/download.go
 	ObjectWasDeleted                                                      = "object was deleted"                                                                     // Error in ../../downloader/download.go
@@ -73,5 +72,5 @@ const (
 	InvalidCacheEntryType                                                 = "invalid cache entry type"                                                               // Warn in ../cache/buckets.go
 	InvalidLifetimeUsingDefaultValue                                      = "invalid lifetime, using default value (in seconds)"                                     // Error in ../../cmd/http-gw/settings.go
 	InvalidCacheSizeUsingDefaultValue                                     = "invalid cache size, using default value"                                                // Error in ../../cmd/http-gw/settings.go
-
+	FailedToUnescapeQuery                                                 = "failed to unescape query"
 )