Transformation params not properly URL escaped

cloudinary / cloudinary_gem

Cloudinary GEM for Ruby on Rails integration

https://cloudinary.com

420 stars 285 forks source link

Transformation params not properly URL escaped #540

Open stirkac opened 3 months ago

stirkac commented 3 months ago

Bug report for Cloudinary Ruby SDK

Before proceeding, please update to latest version and test if the issue persists - DONE

Describe the bug in a sentence or two.

If the parameters passed to transformation contain a double quote, they are not properly escaped when formulating cloudinary URL, causing invalid URL to be generated

Issue Type (Can be multiple)

[ ] Build - Cannot install or import the SDK
[ ] Performance - Performance issues
[x] Behaviour - Functions are not working as expected (such as generate URL)
[ ] Documentation - Inconsistency between the docs and behaviour
[ ] Other (Specify)

Steps to reproduce

Run Cloudinary::Utils.cloudinary_url(VIDEO_ID_HERE,{ resource_type: "video", transformation: [{color: '"abc', overlay: { font_family: "Times", font_size: 12, font_weight: "bold", text: "..." }}])

note the '"abc' for the color

Error screenshots or Stack Trace (if applicable)

Operating System

[ ] Linux
[ ] Windows
[x] macOS
[ ] All

Environment and Libraries (fill in the version numbers)

Cloudinary Ruby SDK version - cloudinary (1.29.0)
Ruby Version - ruby 3.3.0
Rails Version - Rails 7.1.3.2

wissam-khalili commented 3 months ago

Hi @stirkac ,

Thank you for reaching out.

The example you have provided won't work and you will get: X-Cld-Error: Invalid color name "abc Whether we encode it or not - it will not work.

Could you share your use case? If it's possible, can you provide some other parameter that works if you encode it and we are not encoding?

Best Regards, Wissam

stirkac commented 3 months ago

Sorry, I made an assumption, but the actual value can be seen from the screenshot that is added: "#e6e6e640 It was an accidental discovery, by pasting the value with the quotation mark. It's hard for me to share the exact code because transformation hash is dynamically constructed, but if it helps, here's the replicated use case with everything in plain sight:

{"resource_type":"video","sign_url":true,"secure":true,"delivery_type":"authenticated","transformation":[{"color":"\"#e6e6e640","overlay":{"font_family":"Times","font_size":20,"font_weight":"bold","text":"Order #1419 for seb as - sebastjan@shopcircle.co on Thu, Mar 28, 24"}},{"effect":"anti_removal:90","flags":"layer_apply","gravity":"center"}]}

and the resulting url: https://res.cloudinary.com/dymk9xwef/video/upload/s--DIhny0fj--/co_\"#e6e6e640,l_text:Times_20_bold:Order%20%231419%20for%20seb%20as%20-%20sebastjan%40shopcircle.co%20on%20Thu%252C%20Mar%2028%252C%2024/e_anti_removal:90,fl_layer_apply,g_center/dance-2.mp4

wissam-khalili commented 3 months ago

Hi @stirkac,

We do encode color, if a valid color is passed, for example, #e6e6e640 so in the resulting url it will be encoded to: co_rgb:e6e6e640. We do not sanitize input (strip spaces, quotes, etc). I hope this is helpful. Regards, Wissam