Skip to content

Does not escape the # character to %23 when in the password #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
NobleUplift opened this issue Sep 28, 2018 · 3 comments
Closed

Does not escape the # character to %23 when in the password #23

NobleUplift opened this issue Sep 28, 2018 · 3 comments

Comments

@NobleUplift
Copy link

NobleUplift commented Sep 28, 2018
edited
Loading

I'm trying to connect to a database with the following URL:

var client = new pg.Client('postgresql://dwuser:<PASSWORD>@dw:5433/dwdev');

dwuser is my data warehouse user, and dw is a network-defined alias of my data warehouse pointing to its IP. The password, port, and database are self-evident. When I try to use this string, I get the following:

Connection failed!  { Error: getaddrinfo ENOTFOUND dwuser dwuser:5432
    at errnoException (dns.js:28:10)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:73:26)
  code: 'ENOTFOUND',
  errno: 'ENOTFOUND',
  syscall: 'getaddrinfo',
  hostname: 'dwuser',
  host: 'dwuser',
  port: 5432 }

It recognizes my username as the hostname and does not accept the custom port.

EDIT: It turns out that my data warehouse has a # sign in it. This needs to be escaped to %23 or manually replaced on my end in order to work
@NobleUplift NobleUplift changed the title Does not support postgres://<username>:<password>@<hostname>:<port>/<database> Does not escape the # character if it is in a password Sep 28, 2018
@NobleUplift NobleUplift changed the title Does not escape the # character if it is in a password Does not escape the # character to %23 when in the password Sep 28, 2018
@hjr3
Copy link
Contributor

hjr3 commented May 23, 2019

I wrote a quick test to see what was going on:

  it('password contains #', function(){
    var sourceConfig = {
      user:'brian',
      password: 'password#',
      port: 5432,
      host: 'localhost',
      database: 'postgres'
    };
    var connectionString = 'postgres://' + sourceConfig.user + ':' + sourceConfig.password + '@' + sourceConfig.host + ':' + sourceConfig.port + '/' + sourceConfig.database;
    var subject = parse(connectionString);
    console.log(subject);
    subject.password.should.equal(sourceConfig.password);
  });

Here is the result:

{
  user: '',
  password: '',
  port: null,
  host: 'brian',
  database: ':password'
}

The # character is denoting a url fragment.

I am loathe to try and fix this though. I think some of the existing behavior going on is already dangerous. I believe the caller should be wrapping username and password in encodeURIComponent before constructing the URL.

Example:

encodeURIComponent('password#')

@vitaly-t vitaly-t mentioned this issue Jul 6, 2019
Closed
@vitaly-t
Copy link

vitaly-t commented Jul 6, 2019
edited
Loading

This PR will fix it, if merged.

And symbol # will be possible to use as URL-encoded %23 anywhere in the connection string.

@hjr3
Copy link
Contributor

hjr3 commented Feb 1, 2020

As mentioned earlier, the caller should be wrapping username and password in encodeURIComponent before constructing the URL.

@hjr3 hjr3 closed this as completed Feb 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hjr3 @NobleUplift @vitaly-t