Replace url-unsafe characters in base64 query data

2024-12-15 03:36:33 +03:00 · 2016-02-18 21:17:31 -06:00 · 2016-02-18 21:17:31 -06:00 · 540613645f
commit 540613645f
parent 586605557e
5 changed files with 45 additions and 8 deletions
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@ -281,7 +281,7 @@ func GetTableConstraints(c *gin.Context) {
 }

 func HandleQuery(query string, c *gin.Context) {
-	rawQuery, err := base64.StdEncoding.DecodeString(query)
+	rawQuery, err := base64.StdEncoding.DecodeString(desanitize64(query))
 	if err == nil {
 		query = string(rawQuery)
 	}
--- a/pkg/api/helpers.go
+++ b/pkg/api/helpers.go
@ -5,6 +5,7 @@ import (
 	"mime"
 	"path/filepath"
 	"strconv"
+	"strings"

 	"github.com/gin-gonic/gin"

@ -29,10 +30,31 @@ var allowedPaths = map[string]bool{
 	"/api/history":   true,
 }

+// List of characters replaced by javascript code to make queries url-safe.
+var base64subs = map[string]string{
+	"-": "+",
+	"_": "/",
+	".": "=",
+}
+
 type Error struct {
 	Message string `json:"error"`
 }

+func NewError(err error) Error {
+	return Error{err.Error()}
+}
+
+func desanitize64(query string) string {
+	// Before feeding the string into decoded, we must "reconstruct" the base64 data.
+	// Javascript replaces a few characters to be url-safe.
+	for olds, news := range base64subs {
+		query = strings.Replace(query, olds, news, -1)
+	}
+
+	return query
+}
+
 func getSessionId(c *gin.Context) string {
 	id := c.Request.Header.Get("x-session-id")
 	if id == "" {
@ -100,7 +122,3 @@ func assetContentType(name string) string {

 	return result
 }
-
-func NewError(err error) Error {
-	return Error{err.Error()}
-}
--- a/pkg/api/helpers_test.go
+++ b/pkg/api/helpers_test.go
@ -0,0 +1,19 @@
+package api
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func Test_desanitize64(t *testing.T) {
+	examples := map[string]string{
+		"test":        "test",
+		"test+test+":  "test-test-",
+		"test/test/":  "test_test_",
+		"test=test==": "test.test..",
+	}
+
+	for expected, example := range examples {
+		assert.Equal(t, expected, desanitize64(example))
+	}
+}
--- a/pkg/data/bindata.go
+++ b/pkg/data/bindata.go
--- a/static/js/app.js
+++ b/static/js/app.js
@ -96,7 +96,7 @@ function explainQuery(query, cb)            { apiCall("post", "/explain", { quer
 function disconnect(cb)                     { apiCall("post", "/disconnect", {}, cb); }

 function encodeQuery(query) {
-  return window.btoa(query);
+  return window.btoa(query).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, ".");
 }

 function buildSchemaSection(name, objects) {