search

cyberark / conjur-api-ruby

Ruby client for the CyberArk Conjur API
https://rubygems.org/gems/conjur-api
Apache License 2.0
3 stars 5 forks source link

Period in Resource ID is not properly escaped #187

Closed micahlee closed 3 years ago

micahlee commented 3 years ago

Problem Description

When we use fully_escape to make Resource IDs URL safe, we don't currently escape the period (.) character. This can lead to resource URLs resulting in a 404 response from the Conjur API because it parses the period as an extension (.json) instead of part of the URL path.

Example for user with ID my.user:

"GET /api/audit/roles/cucumber%3Auser%3Amy.user?limit=10 HTTP/1.1" 404

Expected Outcome:

Periods should be escaped with the sequence %2E. With this substitution the request above is correctly routed and handled:

"GET /api/audit/roles/cucumber%3Auser%3Amy%2Euser?limit=10 HTTP/1.1" 200
micahlee commented 3 years ago

Replaced by bug report in Conjur server: https://github.com/cyberark/conjur/issues/2001