Skip to content

listObjects does not URL-encode the prefix query parameter #14

Open
Bug
#18
Open
listObjects does not URL-encode the prefix query parameter#14
Bug
#18
Labels
BugA error that causes the feature to behave differently than what was expected based on design docs
@Nana-EC

Description

@Nana-EC
Nana-EC
opened on Mar 14, 2026

Description

The listObjects() method builds the canonical query string by direct string concatenation:

final String canonicalQueryString = "list-type=2&prefix=" + prefix + "&max-keys=" + maxResults;

A prefix containing &, =, +, or spaces corrupts the query string structure. This also
causes an incorrect SigV4 canonical query string during signing, causing authentication to
fail even if the HTTP request somehow succeeded.

Steps to reproduce

The prefix value should be URL-encoded before being placed in the query string, e.g.:

"list-type=2&max-keys=" + maxResults + "&prefix=" + urlEncode(prefix, false)

Note: query parameters must also be sorted alphabetically in the canonical form for correct
SigV4 signing.

Actual behavior
Special characters in the prefix break the query string and signature.

Affected file
client/src/main/java/com/hedera/bucky/S3Client.javalistObjects() ~line 165

Additional context

No response

Hedera network

No response

Version

v0.1.0

Operating system

None

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugA error that causes the feature to behave differently than what was expected based on design docs

    Type

    Bug

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions