Fix XML builder f-string injection + URL encoding + streaming error handling #3

New issue

Closed

opened 2026-03-21 16:45:11 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-21 16:45:11 +00:00

Owner

Type

Bug

Repo

forgejo_admin/minio-sdk

What Broke

QA review of PR #2 found 3 issues:

XML builder functions use f-string interpolation without escaping — object keys containing <, >, or & produce malformed XML
Streaming GET responses skip error handling — 404/403 returned silently instead of raising
Manual query string construction without URL-encoding — keys with spaces or special chars will break

Repro Steps

Create an object with key containing < or & (e.g., test&file.txt)
Call delete_objects() with that key — XML body will be malformed
Call get_object() on a non-existent key with stream=True — no error raised
Call list_objects() with prefix containing spaces — query string not properly encoded

Expected Behavior

XML builder should escape all special characters in user-provided values
Streaming responses should check status code and raise S3Error on 4xx/5xx
Query strings should use urllib.parse.urlencode or quote() for proper encoding

Environment

minio-sdk main branch (post PR #2 merge)
Python 3.11+
MinIO at minio-api.tail5b443a.ts.net

Lineage

plan-pal-e-platform → Phase 24 (QA nits from PR #2)

File Targets

src/minio_sdk/xml_parser.py — escape special chars in XML builders
src/minio_sdk/client.py — streaming error handling + URL encoding

Acceptance Criteria

XML builder escapes <, >, &, ", ' in all user-provided values
Streaming GET responses raise on 4xx/5xx
Query strings URL-encoded via urllib.parse
New tests for edge cases (special chars in keys, 404 on streaming GET)
Existing tests still pass

Checklist

PR opened
Tests pass
No unrelated changes

phase-pal-e-platform-24-minio-sdk — source phase

### Type Bug ### Repo `forgejo_admin/minio-sdk` ### What Broke QA review of PR #2 found 3 issues: 1. XML builder functions use f-string interpolation without escaping — object keys containing `<`, `>`, or `&` produce malformed XML 2. Streaming GET responses skip error handling — 404/403 returned silently instead of raising 3. Manual query string construction without URL-encoding — keys with spaces or special chars will break ### Repro Steps 1. Create an object with key containing `<` or `&` (e.g., `test&file.txt`) 2. Call `delete_objects()` with that key — XML body will be malformed 3. Call `get_object()` on a non-existent key with `stream=True` — no error raised 4. Call `list_objects()` with prefix containing spaces — query string not properly encoded ### Expected Behavior 1. XML builder should escape all special characters in user-provided values 2. Streaming responses should check status code and raise `S3Error` on 4xx/5xx 3. Query strings should use `urllib.parse.urlencode` or `quote()` for proper encoding ### Environment - minio-sdk main branch (post PR #2 merge) - Python 3.11+ - MinIO at `minio-api.tail5b443a.ts.net` ### Lineage `plan-pal-e-platform` → Phase 24 (QA nits from PR #2) ### File Targets - `src/minio_sdk/xml_parser.py` — escape special chars in XML builders - `src/minio_sdk/client.py` — streaming error handling + URL encoding ### Acceptance Criteria - [ ] XML builder escapes `<`, `>`, `&`, `"`, `'` in all user-provided values - [ ] Streaming GET responses raise on 4xx/5xx - [ ] Query strings URL-encoded via `urllib.parse` - [ ] New tests for edge cases (special chars in keys, 404 on streaming GET) - [ ] Existing tests still pass ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `phase-pal-e-platform-24-minio-sdk` — source phase