Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

The parameters in path may be overwritten by the parameters with the same name in query #1757

Closed
3 tasks done
alandtsang opened this issue Jan 15, 2021 · 4 comments
Closed
3 tasks done

The parameters in path may be overwritten by the parameters with the same name in query #1757

alandtsang opened this issue Jan 15, 2021 · 4 comments

Comments

@alandtsang
Copy link

alandtsang commented Jan 15, 2021
edited
Loading

Issue Description

Hi guys, I encountered such a problem while using echo. The parameters in path may be overwritten by the parameters with the same name in query.

Checklist

  • Dependencies installed
  • No typos
  • Searched existing issues and docs

Expected behaviour

Actual behaviour

Steps to reproduce

For example, the following example:

First request:

 curl -X POST http://127.0.0.1:1323/pets/1/names -d '{"name":"Bear"}' -H "Content-Type: application/json"

output is {PetID:1 Name:Bear}, and this is as expected.

If now an attacker passes the path parameter with the same name query parameter pet_id:

curl -X POST http://127.0.0.1:1323/pets/1/names -d '{"name":"Bear", "pet_id":2}' -H "Content-Type: application/json"

The output at this time is not what I expected, pet_id is overwritten:

{PetID:2 Name:Bear}

Is the above situation a known normal situation?

Working code to debug

package main

import (
	"fmt"
	"net/http"

	"github.com/go-playground/validator/v10"
	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
)

type setPetNameParams struct {
	PetID int64  `json:"pet_id" param:"pet_id" validate:"required"`
	Name  string `json:"name" query:"name" validate:"required"`
}

type Validator struct {
	validator *validator.Validate
}

func NewValidator() *Validator {
	return &Validator{validator: validator.New()}
}

func (v *Validator) Validate(i interface{}) error {
	return v.validator.Struct(i)
}

func main() {
	e := echo.New()
	e.Validator = NewValidator()

	e.Use(middleware.Logger())
	e.Use(middleware.Recover())

	e.POST("/pets/:pet_id/names", SetPetName)
	e.Logger.Fatal(e.Start(":1323"))
}

func SetPetName(c echo.Context) error {
	var (
		params setPetNameParams
		err    error
	)

	if err = c.Bind(&params); err != nil {
		return c.JSON(http.StatusBadRequest, err.Error())
	}

	if err = c.Validate(&params); err != nil {
		return c.JSON(http.StatusBadRequest, err.Error())
	}

	fmt.Printf("%+v\n", params)
	return c.String(http.StatusOK, params.Name)
}

Version/commit

go version go1.14.11 darwin/amd64

github.com/go-playground/validator/v10 v10.4.1
github.com/labstack/echo/v4 v4.1.17
@aldas
Copy link
Contributor

aldas commented Jan 15, 2021
edited
Loading

This is same as #1670 and addressed in multiple ways in different PRs (already in master branch - waiting to be released)

In current version what you can do - do not mix json binding with param/query binding.

For body/json

	if err := json.NewDecoder(c.Request().Body).Decode(&payload); err != nil {
		return err
	}

For path

	petID, err := strconv.ParseInt(c.Param("pet_id"), 10, 64)
	if err != nil {
		return err
	}

For query

	petID, err := strconv.ParseInt(c.QueryParam("pet_id"), 10, 64)
	if err != nil {
		return err
	}

it is longer but avoids mixing up where data is taken

in next release it will be much easier to handle this stuff

@iambenkay
Copy link
Contributor

iambenkay commented Jan 15, 2021
edited
Loading

This is due to Context.Bind automatically trying to bind the request body, query params and path params into one struct so it would override it if fields from two sources have the same name.

This has been addressed in #1681 where explicit binding is done instead and although hasn't been officially released can be accessed with this version suffix v4.1.18-0.20210107234338-9b0e63046b13

I'd advise to not change to this unreleased version if it's a production app except you really know what you're doing.

I currently use it and it tackles the issue for me.

@alandtsang
Copy link
Author

This is same as #1670 and addressed in multiple ways in different PRs (already in master branch - waiting to be released)

In current version what you can do - do not mix json binding with param/query binding.

Thanks for your reply, I understand, thanks again.

@alandtsang
Copy link
Author

This is due to Context.Bind automatically trying to bind the request body, query params and path params into one struct so it would override it if fields from two sources have the same name.

This has been addressed in #1681 where explicit binding is done instead and although hasn't been officially released can be accessed with this version suffix v4.1.18-0.20210107234338-9b0e63046b13

I'd advise to not change to this unreleased version if it's a production app except you really know what you're doing.

I currently use it and it tackles the issue for me.

Thanks for your reply, I will close this issue now.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aldas @alandtsang @iambenkay