Balena api not working with forward slash

Hello,

I am trying to use release_tag API to get all my release tags. The commands from here seem to work with curl. However, when I use it with jboss resteasy, it does not seem to work.

For example,
https://api.balena-cloud.com/v6/release_tag?\$filter=release/commit%20eq%20'<COMMIT>'
turns into
/release_tag?%24filter=release%2Fcommit+eq+%27<commit>%27
and I get malform request error…

If however, I change the filter to be tag_key, everything seems to work fine.

I understand the special characters’ encodings but was wondering if there is any solutions around this?
I would appreciate any suggestions.

Hi there, just so I understand right, you are saying that jboss resteasy changes the API commands so that you are getting malformed request errors - however if you change the filtet r to be tag_key instead of release then it works?

I’ll as the team if they have any suggestions, but does this happen with many other API calls, or have you only tried it with this one you mentioned?

Also, I’m not familiar with resteasy, but why does it change the url?

Hi,
I am also fairly new to this. I am using Quarkus framework, which uses resteasy.

From my understanding, it’s trying to sanitize the URL? I am not sure if its resteasy or something else. I also found this, if it is helpful.

To be more clear, it’s the forward-slash in $filter=release/commit that’s gets changed to forward slash, which makes the request malformed. If I change the release/commit with some other key like tag_key, it works fine.

I say this is a fairly common occurrence if there is a forward slash involved in the filter.

This seems specific to resteasy as I just confirmed those commands work with curl.

According to their documentation you should be able to disable the sanitizer with resteasy.disable.html.sanitizer =true
https://docs.jboss.org/resteasy/docs/4.7.0.Final/userguide/html_single/index.html

“/”, “<”, “>”, “&”, “”" (double quote), and “'” (single quote) are escaped to prevent an XSS attack. If this parameter is set to “true”, escaping will not occur.

Does https://api.balena-cloud.com/v5/release_tag?\$filter=release%2Fcommit%20eq%20'<commit>' works for you?

I would imagine Balena being able to detect that %2F in release%2Fcommit is a special character?

Good point, https://api.balena-cloud.com/v5/release_tag?\$filter=release%2Fcommit%20eq%20'<commit>' does not work for me.

I’ve opened this GH issue for tracking, and we will see what the API team thinks.

In the meantime, did disabling the sanitizer help?

Thanks, ill watch the issue.

Just trying to figure out how to add sanitizer to the quarkus project

I am also having similar issues when I try the select filter and try to get multiple fields.

curl -X GET “https://api.balena-cloud.com/v6/release?\$filter=commit%20eq%20’<COMMIT>'&\$select=id%2Ccommit” -H “Content-Type: application/json” -H “Authorization: Bearer ”

Seems to throw malformed URL error

curl -X GET “https://api.balena-cloud.com/v6/release?\$filter=commit%20eq%20’<COMMIT>'&\$select=id,commit” -H “Content-Type: application/json” -H “Authorization: Bearer ”

works fine.

Difference: select filter ,

Thanks @sraturi. This looks very much related to escaped , sequence. I have added this detail as well to the issue.

Also, let us know once you are able to add the disable.html.sanitizer config and if you are able to proceed further.

Regards,
N

Hello,

I’m not able to disable the HTML sanitizer in quarkus. I tried adding different variations of disable.html.sanitizer in the application.properties but no luck so far.

is there an ETA on this issue?

Cheers
Sachin

Hey @sraturi,
I’m afraid I cannot provide an ETA. There is this GH issue you can subscribe at.

Georgia

1 Like

Want to reopen this as it still isn’t working properly