Percent encoding of literal `+` character to `%20` in query params for sigv4 signing

[tli-sq]

Hello! I'm looking to understand the expected behavior when creating AWS SigV4 signed request, specifically how the literal character of + is treated in query params.

My understanding is that the literal + character is valid in query params, and that the client should encode it as %2B, e.g. something like C++ would be percent encoded as C%2B%2B

It looks like there is a change last year where the key / values of the query params are decoded first, before being re-encoded.

I think the decode + encode essentially assumes that the literal + will always be interpreted and encoded as a space character (%20), which means that the request to be signed will different than the original request, if the original request's query param contains %2B.

Is this the intended behavior?

[nbaws]

/assign @nbaws

[nbaws]

@tli-sq am going to run some testing on this for you now. Are you actually seeing a scenario where you are getting a signature failure for urls like these?

The change you linked was to test against the aws-c-auth sigv4 signing test suite, which in theory is meant to help us avoid problems like these. But it's possible theres a test case that isn't covered.

[tli-sq]

@nbaws Thank you for looking in to this!

Yes, we've noticed a signature mismatch for some HTTP calls when we upgraded our envoys from v1.31.5 to v1.32.3 (v1.31.5...v1.32.3), and we're able to repro this with any encoded query param string that contains a %2B (% encoded +)

So with a literal + character encoded as a %2B by the client, e.g.
v1/healthz?key1=test%2Bexample'
We would get:
The request signature we calculated does not match the signature you provided.

But a non-encoded + from the client works:
v1/healthz?key1=test+example'

We're using Envoy::Extensions::Common::Aws::Utility::canonicalizeQueryString to prep the request to be signed, but I think the mismatch still occurs because the actual request has an encoded literal + that's being interpreted as a space character, and then re-encoded as %20 by Envoy::Extensions::Common::Aws::Utility::canonicalizeQueryString for signature.

[nbaws]

Yep that matches what I'm seeing. I will work on a fix for you and keep this thread updated.

[nbaws]

There appears to be two bugs at play here. I do have a fix for both now, but it may have to wrap the second fix with a configuration option. PR will link to this thread.

[tli-sq]

Thanks @nbaws!

I'll keep an eye out. I had a quick look at your draft PR, and a question about the second bug you mentioned. Specifically:

This patch also removes a second bug, which was incorrectly converting url encoded plus signs to spaces.

Would your proposed solution cause problems for query params where the client URL encodes the space character as a +? Like in application/x-www-form-urlencoded (just seeing the reference here https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding).

I guess in previous my "non-encoded" + example, the + could actually represent a space that's encoded by the client

But a non-encoded + from the client works:
v1/healthz?key1=test+example'

It looks to me the approach in the draft PR would pre-encode the encoded + into a %2B, which would then be decoded as a literal +

Maybe another example would be "C++ Language", where the correct encoding by the client, could be:
C%2B%2B%20Language OR C%2B%2B+Language based on my reading/understanding of percent encoding standards

EDIT: Ah maybe the assumption for the request signing is that the space should never be encoded as a + based on this. All good if that's the case.

[nbaws]

Hey @tli-sq

Definitely not finished with this one and I wanted to see if this fix broke other tests - which it did. But let me give some background on the thinking here.

The second bug 'transforming + to space' was a leftover from when I implemented the test suite. However it shouldn't have made its way in there and is adding more confusion to this troubleshooting :)

The first bug is 'what's the correct canonicalization behaviour for a literal plus when received by envoy'.

The challenge is that we don't know the client intention for this literal plus, whether it is in fact a literal plus or something that was converted from a space. Nor do we have any guarantee about whether the URL landing in envoy is encoded or not. What we do know is the correct SigV4 canonicalization behaviour of a literal plus when it lands in the signing process and that's reasonably straight forward to compare between the envoy implementation and other sources (I use the aws-c-auth implementation).

What I've found from that investigation is that there's actually a non-canonicalization issue that occurs for literal plus signs, ie both envoy and aws-c-auth fail to signature verify for urls of the form 'host?a=+b'. However the reason it fails is not due to signature generation, it's due to a difference between the way this specific URL is handled from the wire into the AWS signature verification process. Exactly where that happens I'm still trying to find out.

So where does this leave me right now? Either we pre-encode a literal plus sign and get a valid signature that will work with our services, or we don't pre-encode and you get a guaranteed signature failure. What I'm still working through is what the implications of that is for the semantics of the URL, because up until this point we've never actually touched the URL on the way through envoy.

I'll keep kicking this one along and will keep you updated. For now assume while this is still in draft I'm still kicking it.