OCM-18900 | fix: Improve error message for proxy passwords with special characters

Author: olucasfreitas

pkg/interactive/validation.go

@@ -89,6 +89,9 @@ func IsURLHttps(val interface{}) error {
 	if err != nil {
 		return err
 	}
+	if parsedUri == nil {
+		return nil
+	}
 	if parsedUri.Scheme != helper.ProtocolHttps {
 		return fmt.Errorf("Expect URL '%s' to use an 'https://' scheme", val.(string))
 	}
@@ -106,8 +109,40 @@ func _isUrl(val interface{}) (*url.URL, error) {
 	if s == "" {
 		return nil, nil
 	}
-	parsedUri, err := url.ParseRequestURI(fmt.Sprintf("%v", val))
-	return parsedUri, err
+
+	// Check for multiple @ symbols which indicates unencoded @ in password
+	if strings.Count(s, "@") > 1 {
+		return nil, fmt.Errorf("Invalid URL '%s': password contains special characters that need URL encoding", s)
+	}
+
+	// Check if the URL contains user credentials with special characters before parsing
+	if strings.Contains(s, "@") && strings.Contains(s, "://") {
+		idx := strings.Index(s, "://")
+		rest := s[idx+3:]
+		atIdx := strings.LastIndex(rest, "@")
+		if atIdx != -1 {
+			userinfo := rest[:atIdx]
+			if colonIdx := strings.Index(userinfo, ":"); colonIdx != -1 {
+				password := userinfo[colonIdx+1:]
+				// Check if password contains special characters that need encoding
+				specialChars := "/:#?[]!$&'()*+,;="
+				for _, char := range specialChars {
+					if strings.ContainsRune(password, char) {
+						return nil, fmt.Errorf("Invalid URL '%s': password contains special characters that need URL encoding", s)
+					}
+				}
+			}
+		}
+	}
+
+	parsedUri, err := url.Parse(fmt.Sprintf("%v", val))
+	if err != nil {
+		return nil, err
+	}
+	if parsedUri.Scheme == "" || parsedUri.Host == "" {
+		return nil, fmt.Errorf("URL must have a scheme and host")
+	}
+	return parsedUri, nil
 }
 
 // IsCert validates whether the given filepath is a valid cert file

pkg/interactive/validation_test.go

@@ -108,6 +108,131 @@ var _ = Describe("Validation", func() {
 		})
 	})
 
+	Context("IsURL", func() {
+		It("accepts empty string", func() {
+			err := IsURL("")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts nil", func() {
+			err := IsURL(nil)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts valid http URL", func() {
+			err := IsURL("http://example.com")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts valid https URL", func() {
+			err := IsURL("https://example.com")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts URL with authentication", func() {
+			err := IsURL("http://user:[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL with unencoded special characters in password", func() {
+			err := IsURL("http://proxyuser:QvoZjyy/[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("accepts URL with percent-encoded special characters in password", func() {
+			err := IsURL("http://proxyuser:QvoZjyy%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL with unencoded @ in password", func() {
+			err := IsURL("http://user:pass@[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("accepts URL with percent-encoded @ in password", func() {
+			err := IsURL("http://user:pass%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL with extra colon in password", func() {
+			err := IsURL("http://user:pass:[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("accepts URL with percent-encoded colon in password", func() {
+			err := IsURL("http://user:pass%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL without scheme", func() {
+			err := IsURL("example.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("URL must have a scheme and host"))
+		})
+
+		It("rejects URL without host", func() {
+			err := IsURL("http://")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("URL must have a scheme and host"))
+		})
+
+		It("rejects non-string input", func() {
+			err := IsURL(123)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("can only validate strings"))
+		})
+	})
+
+	Context("IsURLHttps", func() {
+		It("accepts empty string", func() {
+			err := IsURLHttps("")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts nil", func() {
+			err := IsURLHttps(nil)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts valid https URL", func() {
+			err := IsURLHttps("https://example.com")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts https URL with authentication", func() {
+			err := IsURLHttps("https://user:[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects https URL with unencoded special characters in password", func() {
+			err := IsURLHttps("https://proxyuser:QvoZjyy/[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("accepts https URL with percent-encoded special characters in password", func() {
+			err := IsURLHttps("https://proxyuser:QvoZjyy%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects http URL", func() {
+			err := IsURLHttps("http://example.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("Expect URL 'http://example.com' to use an 'https://' scheme"))
+		})
+
+		It("rejects URL without scheme", func() {
+			err := IsURLHttps("example.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("URL must have a scheme and host"))
+		})
+
+		It("rejects non-string input", func() {
+			err := IsURLHttps(123)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("can only validate strings"))
+		})
+	})
+
 })
 
 var _ = Describe("SubnetsValidator", func() {

pkg/ocm/helpers.go

@@ -139,13 +139,89 @@ func ValidateHTTPProxy(val interface{}) error {
 		if httpProxy == "" {
 			return nil
 		}
-		url, err := url.ParseRequestURI(httpProxy)
+
+		// Check for spaces
+		if strings.Contains(httpProxy, " ") {
+			return fmt.Errorf("Invalid http-proxy value '%s': URL cannot contain spaces", httpProxy)
+		}
+
+		// Check for multiple @ symbols which indicates unencoded @ in password
+		if strings.Count(httpProxy, "@") > 1 {
+			return fmt.Errorf("Invalid http-proxy value '%s': password contains special characters that need URL encoding", httpProxy)
+		}
+
+		// Check if the URL contains user credentials with special characters before parsing
+		if strings.Contains(httpProxy, "@") && strings.Contains(httpProxy, "://") {
+			idx := strings.Index(httpProxy, "://")
+			rest := httpProxy[idx+3:]
+			atIdx := strings.LastIndex(rest, "@")
+			if atIdx != -1 {
+				userinfo := rest[:atIdx]
+				if colonIdx := strings.Index(userinfo, ":"); colonIdx != -1 {
+					password := userinfo[colonIdx+1:]
+					// Check if password contains special characters that need encoding
+					specialChars := "/:#?[]!$&'()*+,;="
+					for _, char := range specialChars {
+						if strings.ContainsRune(password, char) {
+							return fmt.Errorf("Invalid http-proxy value '%s': password contains special characters that need URL encoding", httpProxy)
+						}
+					}
+				}
+			}
+		}
+
+		parsedURL, err := url.Parse(httpProxy)
 		if err != nil {
-			return fmt.Errorf("Invalid http-proxy value '%s'", httpProxy)
+			// Check for invalid port in error message
+			if strings.Contains(err.Error(), "invalid port") {
+				return fmt.Errorf("Invalid http-proxy value '%s': invalid port number", httpProxy)
+			}
+			return fmt.Errorf("Invalid http-proxy value '%s': %v", httpProxy, err)
 		}
-		if url.Scheme != "http" {
+
+		if parsedURL.Scheme == "" {
+			return fmt.Errorf("Invalid http-proxy value '%s': URL scheme is missing (e.g., http://)", httpProxy)
+		}
+		if parsedURL.Scheme != "http" {
 			return errors.Errorf("%s", "Expected http-proxy to have an http:// scheme")
 		}
+
+		if parsedURL.Host == "" {
+			return fmt.Errorf("Invalid http-proxy value '%s': host is missing", httpProxy)
+		}
+
+		// Proxy URLs shouldn't have a path
+		if parsedURL.Path != "" && parsedURL.Path != "/" {
+			return fmt.Errorf("Invalid http-proxy value '%s': proxy URL should not contain a path", httpProxy)
+		}
+
+		// Validate hostname/IP and port
+		host, port, err := net.SplitHostPort(parsedURL.Host)
+		if err != nil {
+			// No port specified, just validate the host
+			host = parsedURL.Host
+		} else {
+			// Validate port
+			portNum, err := strconv.Atoi(port)
+			if err != nil {
+				return fmt.Errorf("Invalid http-proxy value '%s': invalid port number", httpProxy)
+			}
+			if portNum < 1 || portNum > 65535 {
+				return fmt.Errorf("Invalid http-proxy value '%s': port must be between 1 and 65535", httpProxy)
+			}
+		}
+
+		// Validate host is a valid hostname or IP address
+		if host != "" {
+			// Check if it's an IP address
+			if ip := net.ParseIP(host); ip == nil {
+				// Not an IP, check if it's a valid hostname
+				if strings.Contains(host, "/") {
+					return fmt.Errorf("Invalid http-proxy value '%s': invalid host", httpProxy)
+				}
+			}
+		}
+
 		return nil
 	}
 	return fmt.Errorf("can only validate strings, got '%v'", val)

pkg/ocm/helpers_test.go

@@ -695,3 +695,102 @@ var _ = Describe("GetAutoNodeRoleArn", func() {
 		Expect(exists).To(BeTrue())
 	})
 })
+
+var _ = Describe("ValidateHTTPProxy", func() {
+	It("accepts empty string", func() {
+		err := ValidateHTTPProxy("")
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("accepts valid http proxy without authentication", func() {
+		err := ValidateHTTPProxy("http://proxy.example.com:8080")
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("accepts valid http proxy with basic authentication", func() {
+		err := ValidateHTTPProxy("http://user:[email protected]:8080")
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("rejects http proxy with unencoded forward slash in password and provides helpful error", func() {
+		// This is the exact example from the bug report OCM-18900
+		err := ValidateHTTPProxy("http://proxyuser:QvoZjyy/[email protected]:8080")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("password contains special characters that need URL encoding"))
+	})
+
+	It("accepts http proxy with percent-encoded forward slash in password", func() {
+		err := ValidateHTTPProxy("http://proxyuser:QvoZjyy%[email protected]:8080")
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("rejects http proxy with unencoded @ in password and provides helpful error", func() {
+		err := ValidateHTTPProxy("http://user:pass@[email protected]:8080")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("Invalid http-proxy value"))
+	})
+
+	It("accepts http proxy with percent-encoded @ in password", func() {
+		err := ValidateHTTPProxy("http://user:pass%[email protected]:8080")
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("rejects http proxy with unencoded special characters in password", func() {
+		err := ValidateHTTPProxy("http://user:pass#[email protected]:8080")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("password contains special characters that need URL encoding"))
+	})
+
+	It("accepts http proxy with percent-encoded colon in password", func() {
+		err := ValidateHTTPProxy("http://user:pass%[email protected]:8080")
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("rejects proxy with https scheme", func() {
+		err := ValidateHTTPProxy("https://proxy.example.com:8080")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(Equal("Expected http-proxy to have an http:// scheme"))
+	})
+
+	It("rejects proxy without scheme", func() {
+		err := ValidateHTTPProxy("proxy.example.com:8080")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("Expected http-proxy to have an http:// scheme"))
+	})
+
+	It("rejects proxy without host", func() {
+		err := ValidateHTTPProxy("http://")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("host is missing"))
+	})
+
+	It("rejects non-string input", func() {
+		err := ValidateHTTPProxy(123)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("can only validate strings"))
+	})
+
+	It("rejects proxy URL with spaces", func() {
+		err := ValidateHTTPProxy("http://proxy.example.com :8080")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("URL cannot contain spaces"))
+	})
+
+	It("rejects proxy with invalid port", func() {
+		err := ValidateHTTPProxy("http://proxy.example.com:99999")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("port must be between 1 and 65535"))
+	})
+
+	It("rejects proxy with invalid IP and port", func() {
+		err := ValidateHTTPProxy("http://10/.0.0.161:9999999")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("proxy URL should not contain a path"))
+	})
+
+	It("rejects proxy URL with path", func() {
+		err := ValidateHTTPProxy("http://proxy.example.com:8080/path")
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("proxy URL should not contain a path"))
+	})
+})