I'm automating my GET API with RESTAssured, while I see the URI just before hitting the API, it is just normal, but when I add the query parameters, it adds junk values. I don't understand why adding query params does so, even when I print query params, it gives me proper value.
Here is my code snippet.
System.out.println("QUERY PARAMS"+queryParams);
System.out.println(">>>>"+uri);
Response response = RestAssured.given().config(RestAssured.config().sslConfig(this.getSslConfig())).filter(new AllureRestAssured()).contentType(appJsonContentType)
.headers(requestHeader)
.queryParams(queryParams)
.when()
.log()
.all().get(uri);
And here is the logs -
QUERY PARAMS{amount=[2000.0], currency=[USD], date=[2022-04-01T00:00:00Z], id=[413275]}
>>>>https://www.example.com/amount/21345699
Request method: GET
Request URI: https://www.example.com/amount/21345699?amount=2000.0¤cy=USD&date=2022-04-01T00%3A00%3A00Z&id=413275
I'm not sure why I'm getting this %3A in my URL. I tried
.all.get(URLEncoder.encode(uri, StandardCharsets.UTF_8));
but it adds some localhost:8080 ahead of the URL. Can someone please help?
These are URL encoded characters, as not all the character can be written directly to URL.
%3A is URL encoded sign ":" which I assume is separating fields of hour:minute:second in your parameters
Related
I have a get request with this param in the url (encoded in cp1252):
?c=es&t=a%20coru%F1a
I have a Spring Boot service with a QueryParam that automatically converts to:
a coru�a
The %20 are replaced by spaces and the %F1 are replace by �
If I try to encode again:
java.net.URLEncoder.encode(t, "Windows-1252");
This is the final result (%3F instead %F1)
a+coru%3Fa
What I need is the QueryParam doesn't decode the url, I only want that string as a I send it.
If I try with POST request and x-www-form-urlencoded everything works fine (obviously), but I need GET request.
This is what i did it at the end:
I've changed #RequestParam by:
HttpServletRequest request
And then:
request.getQueryString()
And I can get the values from the query url in the same format.
Probably it's not the best option, but it works!
Thanks.
I am executing below code inside servlet and getting this spot bugs - HRS_REQUEST_PARAMETER_TO_HTTP_HEADER
Bug: HTTP parameter directly written to HTTP header output in SSOIdpLogoutRedirect.doPost(HttpServletRequest, HttpServletResponse)
String relayState = request.getParameter("RELAY_STATE");
if(relayState != null)
{
response.sendRedirect(relayState);
}
To fix this bugs i added below code.
relayState = URLEncoder.encode(relayState,StandardCharsets.UTF_8);
But URL does not redirect in correct way as i can see the relaystate url has been changed after encoding
original relaystate = https://sad.ezhdj.net/system/web/apps/dfgh/
and after encoded it is
relaystate =https%3A%2F%2Fsad.ezdev.net%2Fsystem%2Fweb%2Fapps%2Fdfgh%2F`
you should use HttpServletResponse.encodeRedirectURL() to encode redirect urls:
String encodeRedirectURL(String url)
Encodes the specified URL for use in the sendRedirect method or, if
encoding is not needed, returns the URL unchanged. The implementation
of this method includes the logic to determine whether the session ID
needs to be encoded in the URL.
...
All URLs sent to the HttpServletResponse.sendRedirect method should be
run through this method...
this should work:
response.sendRedirect(response.encodeRedirectURL(relayState));
since your url doesn't actually need encoding, output from encodeRedirectURL() will be:
https://sad.ezhdj.net/system/web/apps/dfgh/
and the redirect will work just fine.
edit:
apparently proposed solution still triggers HRS_REQUEST_PARAMETER_TO_HTTP_HEADER spotbug error.
after doing little more research I found out that the error is meant to prevent HTTP response splitting vulnerability (i.e. when unwanted \r\n are written in the header section of http response).
we should then better sanitize relayState against this type of vulnerability.
a simple relayState.replace("\r\n", "") is enough to make the error go away:
response.sendRedirect(response.encodeRedirectURL(relayState.replace("\r\n", "")));
I am trying to connect to a REST API (Not my own so I can't fix their issues) but when I send a GET request, Rest Assured is reprocessing my URI causing the call to fail.
Here is the code to build the request:
Call rest = new Call("https://rest.test.com"); // Custom class to simplify REST calls.
JSONObject searchCriteria = new JSONObject();
searchCriteria.put("textSearchType", "SEARCHNAME");
searchCriteria.put("textSearchString", "joe blow");
String header = "Lead Inline Quick Search";
StringBuilder resource = new StringBuilder("/api/v1/search?");
resource.append("searchCriteria=")
.append(URLEncoder.encode(searchCriteria.toString()))
.append("&header=")
.append(URLEncoder.encode(header));
System.out.println("REST call: " + resource.toString());
rest.get(resource.toString(), 200); // Perform a get on the query, expect a 200 response
When I look at the output, the request is correct:
REST call: /api/v1/search?searchCriteria=%7B%22textSearchString%22%3A%22joe+blow%22%2C%22textSearchType%22%3A%22SEARCHNAME%22%7D&header=Lead+Inline+Quick+Search
However when I look at the debug for Rest Assured, it reprocesses the request causing the call to fail:
Request method: GET
Request URI: https://rest.test.com/api/v1/search?searchCriteria=%257B%2522textSearchString%2522%253A%2522joe%2Bblow%2522%252C%2522textSearchType%2522%253A%2522SEARCHNAME%2522%257D&header=Lead%2BInline%2BQuick%2BSearch
Note:
'{' is correctly converted to '%7B' from the Net encoding and looks right in the resource, but Rest Assured then further converts all the '%' to '%25' making the json invalid ({ becomes %257B).
The '+' in the header is converted to '%20' for some reason. While technically the same, there is no reason to "fix" it.
If I don't encode the values when building the resource, the get call fails because it sees the spaces.
IllegalArgumentException-Invalid number of path parameters. Expected 1, was 0. Undefined path parameters are: "textSearchString":"joe blow","textSearchType":"SEARCHNAME".
So what is the proper way to encode the values? Or get Rest Assured not to monkey with the string it's sent?
The comment from #Hypino put me on the right track.
Adding .urlEncodingEnabled(false) to the .given() did not change the results (call was still double processed). But adding .setUrlEncodingEnabled(false) to the RequestSpecBuilder() gave the correct results.
private RequestSpecBuilder build = new RequestSpecBuilder().setUrlEncodingEnabled(false);
The logged call and the actual call are now the same:
REST call: /api/v1/search?searchCriteria=%7B%22textSearchString%22%3A%22joe+blow%22%2C%22textSearchType%22%3A%22SEARCHNAME%22%7D&header=Lead+Inline+Quick+Search
Request method: GET
Request URI: https://rest.test.com/api/v1/search?searchCriteria=%7B%22textSearchString%22%3A%22joe+blow%22%2C%22textSearchType%22%3A%22SEARCHNAME%22%7D&header=Lead+Inline+Quick+Search
I am consuming REST web services in my java code. Before make call to Rest web service I am encoding my query parameters by java.net.URLEncoder
But by request is getting failed by 400 bad request exception
URL before encoding : host?limit=200&filter=published ge "2017-12-15T16:50:34.034Z" and (action.objectType eq "core.user_group_member.user_add" or action.objectType eq "core.user_group_member.user_remove")
URL after decoding : %3Flimit%3D200%26filter%3Dpublished%20ge%20%222017-12-15T16%3A50%3A34.034Z%22%20and%20%28action.objectType%20eq%20%22core.user_group_member.user_add%22%20or%20action.objectType%20eq%20%22core.user_group_member.user_remove%22%29
I am tried same from postman rest client tool there also without encoded url is working and encoded url failed with 400 bad request error.
"limit=200&filter=" doesn't need to be coded.
In postman you need to encode manually relevant parameters' values as follows:
Right click on a piece of selected text, and select “EncodeURIComponent” to manually encode the parameter value.
I'm using JMeter to do some load tests on my JSF application and I'm having trouble passing the ViewState along the pages. The ViewState variable doesn't get extracted at all or it doesn't get passed along the pages.
I've recorded my test steps with a proxy server and this is what it looks like:
I've added the Regex extractor in the first GET request. Tested the regex and it is correct.
In every POST request I replace the hardwired View IDs with my variable.
And what I get when I send the request is the following:
The POST parameters are incorrect, as it sends the name of the variable.
POST data:
loginForm%3ArequestToken=&loginForm%3Ausername=heller&loginForm%3Apassword=%21QAYxsw2%A7EDC&loginForm%3AloginButton=Anmelden&com.sun.faces.VIEW=%24%7BjsfViewState%7D&loginForm=loginForm
Could you tell what I'm doing wrong here?
Thanks!
The ViewState parameter is an encoded value (Base64 I believe?) and may contain values that would be inappropriate if passed in a GET request through the url. URL parameters are typically encoded so that special values (Eg. space -> %20) can be represented and decoded when the request reaches the server.
The issue here is that the following request is a POST meaning that the parameters do not need to be URL encoded.
com.sun.faces.VIEW=%24%7BjsfViewState%7D&loginForm=loginForm
The above shows that JMeter or some other process is URL encoding the ViewState in the request which is incorrect. The value of the ViewState should simply be sent as is.
Found my problem: the regex was wrong, so it couldn't find anything in the response. I had to change the regex. Noticed it after adding a default value "NOT FOUND".