OCM-18900 | fix: Improve error message for proxy passwords with special characters

Author: olucasfreitas

cmd/create/cluster/cmd.go

@@ -3053,15 +3053,15 @@ func run(cmd *cobra.Command, _ []string) {
 			Help:     cmd.Flags().Lookup("https-proxy").Usage,
 			Default:  httpsProxy,
 			Validators: []interactive.Validator{
-				interactive.IsURL,
+				ocm.ValidateHTTPSProxy,
 			},
 		})
 		if err != nil {
 			r.Reporter.Errorf("Expected a valid https proxy: %s", err)
 			os.Exit(1)
 		}
 	}
-	err = interactive.IsURL(httpsProxy)
+	err = ocm.ValidateHTTPSProxy(httpsProxy)
 	if err != nil {
 		r.Reporter.Errorf("%s", err)
 		os.Exit(1)

cmd/edit/cluster/cmd.go

@@ -513,7 +513,7 @@ func run(cmd *cobra.Command, _ []string) {
 		}
 	}
 	if httpsProxy != nil && *httpsProxy != input.DoubleQuotesToRemove {
-		err = interactive.IsURL(*httpsProxy)
+		err = ocm.ValidateHTTPSProxy(*httpsProxy)
 		if err != nil {
 			r.Reporter.Errorf("%s", err)
 			os.Exit(1)

pkg/helper/helpers.go

@@ -268,3 +268,67 @@ func FilterEmptyStrings(strings []string) []string {
 	}
 	return filteredResult
 }
+
+type URLCredentialValidation struct {
+	Field       string
+	InvalidChar rune
+	HasInvalid  bool
+}
+
+func ValidateURLCredentials(urlString string) *URLCredentialValidation {
+	if !strings.Contains(urlString, "@") || !strings.Contains(urlString, "://") {
+		return &URLCredentialValidation{HasInvalid: false}
+	}
+
+	schemeIdx := strings.Index(urlString, "://")
+	if schemeIdx == -1 {
+		return &URLCredentialValidation{HasInvalid: false}
+	}
+
+	rest := urlString[schemeIdx+3:]
+	atIdx := strings.LastIndex(rest, "@")
+	if atIdx == -1 {
+		return &URLCredentialValidation{HasInvalid: false}
+	}
+
+	userinfo := rest[:atIdx]
+
+	// Check for multiple @ symbols first (indicates @ in credentials)
+	if strings.Count(urlString, "@") > 1 {
+		return &URLCredentialValidation{
+			Field:       "password",
+			InvalidChar: '@',
+			HasInvalid:  true,
+		}
+	}
+
+	// Check username and password separately
+	colonIdx := strings.Index(userinfo, ":")
+	if colonIdx == -1 {
+		return checkForInvalidChars(userinfo, "username")
+	}
+
+	username := userinfo[:colonIdx]
+	if result := checkForInvalidChars(username, "username"); result.HasInvalid {
+		return result
+	}
+
+	password := userinfo[colonIdx+1:]
+	return checkForInvalidChars(password, "password")
+}
+
+func checkForInvalidChars(value, field string) *URLCredentialValidation {
+	invalidChars := "/:#?[]@!$&'()*+,;="
+
+	for _, char := range value {
+		if strings.ContainsRune(invalidChars, char) {
+			return &URLCredentialValidation{
+				Field:       field,
+				InvalidChar: char,
+				HasInvalid:  true,
+			}
+		}
+	}
+
+	return &URLCredentialValidation{HasInvalid: false}
+}

pkg/interactive/validation.go

@@ -89,8 +89,11 @@ func IsURLHttps(val interface{}) error {
 	if err != nil {
 		return err
 	}
+	if parsedUri == nil {
+		return nil
+	}
 	if parsedUri.Scheme != helper.ProtocolHttps {
-		return fmt.Errorf("Expect URL '%s' to use an 'https://' scheme", val.(string))
+		return fmt.Errorf("expect URL '%s' to use an 'https://' scheme", val.(string))
 	}
 	return nil
 }
@@ -106,8 +109,20 @@ func _isUrl(val interface{}) (*url.URL, error) {
 	if s == "" {
 		return nil, nil
 	}
-	parsedUri, err := url.ParseRequestURI(fmt.Sprintf("%v", val))
-	return parsedUri, err
+
+	if credValidation := helper.ValidateURLCredentials(s); credValidation.HasInvalid {
+		return nil, fmt.Errorf("invalid URL: %s contains invalid character '%c'",
+			credValidation.Field, credValidation.InvalidChar)
+	}
+
+	parsedUri, err := url.Parse(fmt.Sprintf("%v", val))
+	if err != nil {
+		return nil, err
+	}
+	if parsedUri.Scheme == "" || parsedUri.Host == "" {
+		return nil, fmt.Errorf("url must have a scheme and host")
+	}
+	return parsedUri, nil
 }
 
 // IsCert validates whether the given filepath is a valid cert file

pkg/interactive/validation_test.go

@@ -108,6 +108,134 @@ var _ = Describe("Validation", func() {
 		})
 	})
 
+	Context("IsURL", func() {
+		It("accepts empty string", func() {
+			err := IsURL("")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts nil", func() {
+			err := IsURL(nil)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts valid http URL", func() {
+			err := IsURL("http://example.com")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts valid https URL", func() {
+			err := IsURL("https://example.com")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts URL with authentication", func() {
+			err := IsURL("http://user:[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL with unencoded special characters in password", func() {
+			err := IsURL("http://proxyuser:QvoZjyy/[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("accepts URL with percent-encoded special characters in password", func() {
+			err := IsURL("http://proxyuser:QvoZjyy%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL with unencoded @ in password", func() {
+			err := IsURL("http://user:pass@[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(Equal("invalid URL: password contains invalid character '@'"))
+		})
+
+		It("accepts URL with percent-encoded @ in password", func() {
+			err := IsURL("http://user:pass%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL with extra colon in password", func() {
+			err := IsURL("http://user:pass:[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(Equal("invalid URL: password contains invalid character ':'"))
+		})
+
+		It("accepts URL with percent-encoded colon in password", func() {
+			err := IsURL("http://user:pass%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL without scheme", func() {
+			err := IsURL("example.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("url must have a scheme and host"))
+		})
+
+		It("rejects URL without host", func() {
+			err := IsURL("http://")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("url must have a scheme and host"))
+		})
+
+		It("rejects non-string input", func() {
+			err := IsURL(123)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("can only validate strings"))
+		})
+	})
+
+	Context("IsURLHttps", func() {
+		It("accepts empty string", func() {
+			err := IsURLHttps("")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts nil", func() {
+			err := IsURLHttps(nil)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts valid https URL", func() {
+			err := IsURLHttps("https://example.com")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts https URL with authentication", func() {
+			err := IsURLHttps("https://user:[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects https URL with unencoded special characters in password", func() {
+			err := IsURLHttps("https://proxyuser:QvoZjyy/[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(Equal("invalid URL: password contains invalid character '/'"))
+		})
+
+		It("accepts https URL with percent-encoded special characters in password", func() {
+			err := IsURLHttps("https://proxyuser:QvoZjyy%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects http URL", func() {
+			err := IsURLHttps("http://example.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("expect URL 'http://example.com' to use an 'https://' scheme"))
+		})
+
+		It("rejects URL without scheme", func() {
+			err := IsURLHttps("example.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("url must have a scheme and host"))
+		})
+
+		It("rejects non-string input", func() {
+			err := IsURLHttps(123)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("can only validate strings"))
+		})
+	})
+
 })
 
 var _ = Describe("SubnetsValidator", func() {