search

MeltwaterArchive / datasift-ruby

Ruby client for DataSift
http://datasift.com
MIT License
24 stars 22 forks source link

`secret_key` improperly escaped when creating a managed source #59

Closed JadedEvan closed 10 years ago

JadedEvan commented 10 years ago

I experienced this issue when I was trying to create a managed source with DynamoDB as the data destination. AWS will often generate secret_access_keys that include special characters(+, /, etc). Our secret token happened to include a forward slash /.

The invalid escaping originates in DataSift::Client.encode (https://github.com/datasift/datasift-ruby/blob/develop/lib/datasift.rb#L222)

    URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&'))

URI.escape does not handle the slash correctly, where as CGI.escape does.

URI.escape('abc/123')
 => "abc/123"
CGI.escape('abc/123')
 => "abc%2F123"

If I attempt to pre-escape my value when setting up my data destination, the encode method double escapes it and continues to make it invalid:

URI.escape('abc%2F123')
 => "abc%252F123"

Seems like the fix here would be to use CGI.escape instead.

dugjason commented 10 years ago

Thanks for this suggestion @JadedEvan - it is available in v.3.1.1 of the DataSift gem