fix: Escape special characters in URL path prior to constructing URL (#442)

jbelkins · web-flow · commit 9d11142cee65 · 2022-09-21T13:12:35.000-05:00
diff --git a/Packages/ClientRuntime/Sources/Networking/Http/SdkHttpRequest.swift b/Packages/ClientRuntime/Sources/Networking/Http/SdkHttpRequest.swift
@@ -2,7 +2,7 @@
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0.
  */
-
+import struct Foundation.CharacterSet
 import struct Foundation.URLQueryItem
 import struct Foundation.URLComponents
 import AwsCommonRuntimeKit
@@ -29,12 +29,22 @@ public class SdkHttpRequest {
     }
 }
 
+// Create a `CharacterSet` of the characters that need not be percent encoded in the
+// resulting URL.  This set consists of alphanumerics plus underscore, dash, tilde, and
+// period.  Any other character should be percent-encoded when used in a path segment.
+// Forward-slash is added as well because the segments have already been joined into a path.
+//
+// See, for URL-allowed characters:
+// https://www.rfc-editor.org/rfc/rfc3986#section-2.3
+private let allowed = CharacterSet.alphanumerics.union(CharacterSet(charactersIn: "/_-.~"))
+
 extension SdkHttpRequest {
     public func toHttpRequest(bufferSize: Int = 1024) -> HttpRequest {
         let httpHeaders = headers.toHttpHeaders()
         let httpRequest = HttpRequest()
         httpRequest.method = method.rawValue
-        httpRequest.path = "\(endpoint.path)\(endpoint.queryItemString)"
+        let encodedPath = endpoint.path.addingPercentEncoding(withAllowedCharacters: allowed) ?? endpoint.path
+        httpRequest.path = "\(encodedPath)\(endpoint.queryItemString)"
         httpRequest.addHeaders(headers: httpHeaders)
         httpRequest.body = body.toAwsInputStream()
         return httpRequest
diff --git a/Packages/ClientRuntime/Tests/NetworkingTests/HttpRequestTests.swift b/Packages/ClientRuntime/Tests/NetworkingTests/HttpRequestTests.swift
@@ -93,6 +93,15 @@ class HttpRequestTests: NetworkingTestUtils {
         XCTAssert(updatedRequest.queryItems.contains(queryItem2))
         XCTAssert(updatedRequest.queryItems.contains(URLQueryItem(name: "signedthing", value: "signed")))
     }
+
+    func testPathInInHttpRequestIsEscapedPerRFC3986() throws {
+        let builder = SdkHttpRequestBuilder()
+            .withHeader(name: "Host", value: "xctest.amazon.com")
+            .withPath("/space /colon:/dollar$/tilde~/dash-/underscore_/period.")
+        let httpRequest = builder.build().toHttpRequest()
+        let escapedPath = "/space%20/colon%3A/dollar%24/tilde~/dash-/underscore_/period."
+        XCTAssertEqual(httpRequest.path, escapedPath)
+    }
     
     func testConversionToUrlRequestFailsWithInvalidEndpoint() {
         // TODO:: When is the endpoint invalid or endpoint.url nil?
