sneak/pixa
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Bug: GenerateSignedURL produces malformed URL when source has query string #2

New Issue
Closed
opened 2026-02-09 00:56:06 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-09 00:56:06 +01:00
Collaborator
Copy Link

Bug

In internal/imgcache/signature.go, GenerateSignedURL() embeds the query string mid-path:

path = fmt.Sprintf("/v1/image/%s%s?%s/%s.%s",
    req.SourceHost,
    req.SourcePath,
    req.SourceQuery,
    sizeStr,
    req.Format,
)

This produces URLs like /v1/image/cdn.example.com/photo.jpg?foo=bar/800x600.webp where ?foo=bar/800x600.webp becomes the query string, not the path. The size/format segment after the ? is parsed as a query parameter, not as a path segment.

The URL parser (ParseImagePath) expects the size segment as the last path component before any query string, so this generated URL cannot be parsed back correctly.

Impact

Signed URLs for sources with query strings are broken - they will return 400 Bad Request when accessed.

Fix

The query string in the source URL should be encoded into the path differently, matching how ParseImageURL expects it. Looking at the URL parser, it expects the format host/path?query/size.format where the ?query is embedded in a path segment. But this conflicts with how HTTP URLs work. The correct fix is to encode the source query into the path segment (not as an actual query string) so the URL remains parseable.

## Bug In `internal/imgcache/signature.go`, `GenerateSignedURL()` embeds the query string mid-path: ```go path = fmt.Sprintf("/v1/image/%s%s?%s/%s.%s", req.SourceHost, req.SourcePath, req.SourceQuery, sizeStr, req.Format, ) ``` This produces URLs like `/v1/image/cdn.example.com/photo.jpg?foo=bar/800x600.webp` where `?foo=bar/800x600.webp` becomes the query string, not the path. The size/format segment after the `?` is parsed as a query parameter, not as a path segment. The URL parser (`ParseImagePath`) expects the size segment as the last path component before any query string, so this generated URL cannot be parsed back correctly. ## Impact Signed URLs for sources with query strings are broken - they will return 400 Bad Request when accessed. ## Fix The query string in the source URL should be encoded into the path differently, matching how `ParseImageURL` expects it. Looking at the URL parser, it expects the format `host/path?query/size.format` where the `?query` is embedded in a path segment. But this conflicts with how HTTP URLs work. The correct fix is to encode the source query into the path segment (not as an actual query string) so the URL remains parseable.
clawbot self-assigned this 2026-02-09 00:56:06 +01:00
sneak closed this issue 2026-02-09 01:30:51 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bot

Agent's turn to work

  
merge-ready

   
needs-checks

   
needs-rebase

   
needs-review

   
needs-rework
No Label
bot
merge-ready
needs-checks
needs-rebase
needs-review
needs-rework
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
clawbot
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/pixa#2
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?