Fix expand_db_url to handle special characters in passwords (tortoise#2081)

veeceey · claude · web-flow · commit c25d0a19c786 · 2026-02-10T09:09:15.000+02:00
* Fix expand_db_url to handle special characters in passwords urlparse.urlparse() raises ValueError when passwords contain special characters like '[' or ']' because it tries to interpret them as IPv6 address brackets. This fix adds a helper function that percent-encodes the userinfo part (username:password) before parsing, while preserving already-encoded sequences and leaving the rest of the URL intact. Fixes tortoise#404 * Fix code style to pass make check Apply ruff format (double quotes, slice spacing) and remove unused pytest import to satisfy the CI linting pipeline. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/tests/test_issue_404.py b/tests/test_issue_404.py
@@ -0,0 +1,34 @@
+"""Test for issue #404 - expand_db_url fails with special characters in password."""
+
+from tortoise.backends.base.config_generator import expand_db_url
+
+
+def test_expand_db_url_with_brackets_in_password():
+    """Test that passwords with square brackets work correctly."""
+    # Password with square brackets (as mentioned in issue #404)
+    db_url = "mysql://some_user:ADM[r$VIS]@test-rds.somedata.net:3306/mydb?charset=utf8mb4"
+
+    config = expand_db_url(db_url)
+
+    assert config["engine"] == "tortoise.backends.mysql"
+    assert config["credentials"]["user"] == "some_user"
+    assert config["credentials"]["password"] == "ADM[r$VIS]"
+    assert config["credentials"]["host"] == "test-rds.somedata.net"
+    assert config["credentials"]["port"] == 3306
+    assert config["credentials"]["database"] == "mydb"
+    assert config["credentials"]["charset"] == "utf8mb4"
+
+
+def test_expand_db_url_with_unbalanced_brackets_in_password():
+    """Test that passwords with unbalanced square brackets work correctly."""
+    # Password with unbalanced bracket (causes IPv6 parsing error)
+    db_url = "mysql://fail_user:DMK_15[ZWIN6@test-rds.somedata.net:3306/mydb2?charset=utf8mb4"
+
+    config = expand_db_url(db_url)
+
+    assert config["engine"] == "tortoise.backends.mysql"
+    assert config["credentials"]["user"] == "fail_user"
+    assert config["credentials"]["password"] == "DMK_15[ZWIN6"
+    assert config["credentials"]["host"] == "test-rds.somedata.net"
+    assert config["credentials"]["port"] == 3306
+    assert config["credentials"]["database"] == "mydb2"
diff --git a/tortoise/backends/base/config_generator.py b/tortoise/backends/base/config_generator.py
@@ -129,7 +129,53 @@
 DB_LOOKUP["postgres"] = DB_LOOKUP["asyncpg"]
 
 
+def _quote_url_userinfo(db_url: str) -> str:
+    """Quote special characters in username and password to avoid URL parsing issues.
+
+    urlparse fails when passwords contain characters like '[' or ']' because it
+    tries to parse them as IPv6 addresses. This function percent-encodes the userinfo
+    part (username:password) while leaving the rest of the URL intact.
+
+    Only characters that cause parsing issues (like '[' and ']') are encoded.
+    Already percent-encoded sequences (like %25) are preserved.
+    """
+    # Find the scheme delimiter
+    scheme_end = db_url.find("://")
+    if scheme_end == -1:
+        return db_url
+
+    scheme = db_url[: scheme_end + 3]  # Include "://"
+    rest = db_url[scheme_end + 3 :]
+
+    # Find the userinfo section (everything before @)
+    at_pos = rest.find("@")
+    if at_pos == -1:
+        # No credentials
+        return db_url
+
+    userinfo = rest[:at_pos]
+    after_userinfo = rest[at_pos:]
+
+    # Split userinfo into username and password
+    colon_pos = userinfo.find(":")
+    if colon_pos == -1:
+        # No password, just username
+        # Only quote characters that cause parsing issues
+        username = urlparse.quote(userinfo, safe="%")
+        return scheme + username + after_userinfo
+    else:
+        username = userinfo[:colon_pos]
+        password = userinfo[colon_pos + 1 :]
+        # Quote username and password, but preserve already-encoded sequences
+        # We keep % as safe so existing percent-encoded chars aren't double-encoded
+        username_quoted = urlparse.quote(username, safe="%")
+        password_quoted = urlparse.quote(password, safe="%")
+        return scheme + username_quoted + ":" + password_quoted + after_userinfo
+
+
 def expand_db_url(db_url: str, testing: bool = False) -> dict:
+    # Quote special characters in userinfo to avoid parsing errors
+    db_url = _quote_url_userinfo(db_url)
     url = urlparse.urlparse(db_url)
     if url.scheme not in DB_LOOKUP:
         raise ConfigurationError(f"Unknown DB scheme: {url.scheme}")
