Diferent behaviour between quarkus-resteasy and quarkus-resteasy-reactive with @QueryParam with special characters

[martincalvodaniel]

Description

I have found people talking about this issue with the quarkus-rest-client-reactive but no one talking about the server side.

• quarkus-rest-client-reactive does not URL encode some @QueryParam values

I have pushed this project to GitHub with the following two examples.

Any thoughts?

quarkus-resteasy

As it is, the quarkus-resteasy server can be executed like this:

$ ./gradlew -p quarkus-resteasy quarkusDev                                                                                                                                                                                                                                                                                                                                                                                        ─╯

> Task :quarkus-resteasy:quarkusDev
Listening for transport dt_socket at address: 5005
Press [h] for more options>
Tests paused
Press [r] to resume testing, [h] for more options>
Press [r] to resume testing, [o] Toggle test output, [h] for more options>
 __             __             __      __   ___  __  ___  ___       __
/  \ |  |  /\  |__) |__/ |  | /__` __ |__) |__  /__`  |  |__   /\  /__` \ /
\__X \__/ /~~\ |  \ |  \ \__/ .__/    |  \ |___ .__/  |  |___ /~~\ .__/  |

                                              Powered by Quarkus 2.8.0.Final
2022-04-16 09:33:32,316 INFO  [io.quarkus] (Quarkus Main Thread) quarkus-resteasy 1.0-SNAPSHOT on JVM (powered by Quarkus 2.8.0.Final) started in 1.463s. Listening on: http://0.0.0.0:8080
2022-04-16 09:33:32,320 INFO  [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.
2022-04-16 09:33:32,320 INFO  [io.quarkus] (Quarkus Main Thread) Installed features: [cdi, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-openapi, swagger-ui, vertx

This server exposes the following simple endpoint:

@Path("/hello")
public class ExampleResource {

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String hello(@QueryParam("queryParam") String queryParam) {
        return format("Hello RESTEasy CLASSIC. This was your received queryParam: %s", queryParam);
    }
}

If you query the server endpoint with arg;123 as the queryParam value the server answers with the same value:

$ curl 'localhost:8080/hello?queryParam=arg;123'
Hello RESTEasy CLASSIC. This was your received queryParam: arg;123

If you query the server endpoint with arg;123 url-encoded (arg%3B123) as the queryParam value the server answers with the same no url-encoded value:

$ curl 'localhost:8080/hello?queryParam=arg%3B123'
Hello RESTEasy CLASSIC. This was your received queryParam: arg;123

quarkus-resteasy-reactive

As it is, the quarkus-resteasy-reactive server can be executed like this:

$ ./gradlew -p quarkus-resteasy-reactive quarkusDev                                                                                                                                                                                                                                                                                                                                                                               ─╯

> Task :quarkus-resteasy-reactive:quarkusDev
Listening for transport dt_socket at address: 5005
Press [h] for more options>
Tests paused
Press [r] to resume testing, [h] for more options>
Press [r] to resume testing, [o] Toggle test output, [h] for more options>
 __             __             __      __   ___  __  ___  ___       __          __   ___       __  ___         ___
/  \ |  |  /\  |__) |__/ |  | /__` __ |__) |__  /__`  |  |__   /\  /__` \ / __ |__) |__   /\  /  `  |  | \  / |__
\__X \__/ /~~\ |  \ |  \ \__/ .__/    |  \ |___ .__/  |  |___ /~~\ .__/  |     |  \ |___ /~~\ \__,  |  |  \/  |___

                                                                                    Powered by Quarkus 2.8.0.Final
2022-04-16 09:32:27,178 INFO  [io.quarkus] (Quarkus Main Thread) quarkus-resteasy-reactive 1.0-SNAPSHOT on JVM (powered by Quarkus 2.8.0.Final) started in 1.437s. Listening on: http://0.0.0.0:8080
2022-04-16 09:32:27,182 INFO  [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.
2022-04-16 09:32:27,183 INFO  [io.quarkus] (Quarkus Main Thread) Installed features: [cdi, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-openapi, swagger-ui, vertx]

This server exposes the following simple endpoint:

@Path("/hello")
public class ExampleResource {

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String hello(@QueryParam("queryParam") String queryParam) {
        return format("Hello RESTEasy REACTIVE. This was your received queryParam: %s", queryParam);
    }
}

If you query the server endpoint with arg;123 as the queryParam value the server answers only with the content preceding the ; character:

$ curl 'localhost:8080/hello?queryParam=arg;123'
Hello RESTEasy REACTIVE. This was your received queryParam: arg

If you query the server endpoint with arg;123 url-encoded (arg%3B123) as the queryParam value the server answers with the same no url-encoded value:

$ curl 'localhost:8080/hello?queryParam=arg%3B123'
Hello RESTEasy REACTIVE. This was your received queryParam: arg;123

Implementation ideas

No response

[quarkus-bot]

/cc @FroMage, @geoand, @stuartwdouglas

[geoand]

@FroMage, @michalszynkiewicz didn't we consider something similar in the past?

[FroMage]

Looks like a bug that we stop at ; in query strings when I don't think they're reserved or special or need to be encoded there. In both cases the endpoint should receive arg;123

[geoand]

We are relying on Vert.x to do the query param parsing, we are not doing it ourselves.