Skip to content

fix(trino): sanitize bracketed userinfo and URL-decode credentials#2455

Open
Bartok9 wants to merge 2 commits into
Canner:mainfrom
Bartok9:fix/trino-url-brackets
Open

fix(trino): sanitize bracketed userinfo and URL-decode credentials#2455
Bartok9 wants to merge 2 commits into
Canner:mainfrom
Bartok9:fix/trino-url-brackets

Conversation

@Bartok9

@Bartok9 Bartok9 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Sanitize raw [ / ] in Trino connection-URL userinfo before urlparse.
  • Percent-decode user, password, catalog, and schema with unquote.

Motivation

Two silent failures on trino:// URLs:

  1. Brackets in credentialsurlparse treats any [/] in the netloc as IPv6 delimiters, so trino://user:p[a]ss@host/c/s raises ValueError: Invalid IPv6 URL and never connects. Same root cause already fixed for MySQL/MSSQL/Oracle/ClickHouse helpers.
  2. Percent-encoded credentials/identifiersurlparse leaves %40 etc. literal in userinfo/path, so correctly encoded reserved characters fail auth / catalog resolution.

Decoding is required after bracket sanitisation (otherwise the pre-escaped brackets remain as %5B/%5D). Uses unquote, not unquote_plus, so a literal + is preserved.

Differential value

#2435 (mine, still open) only does the decode half on an older branch. This PR is the complete parentheses-safe version of the same path; prefer this one and close #2435 once merged.

Verification

  • PYTHONPATH=src pytest tests/connectors/test_trino.py -k parse_trino_url7 passed, 66 deselected
  • Regression:
    • test_parse_trino_url_allows_raw_brackets_in_password
    • test_parse_trino_url_preserves_ipv6_host_with_bracketed_password
    • test_parse_trino_url_decodes_user_password_and_identifiers
    • test_parse_trino_url_preserves_literal_plus_in_userinfo
  • Real behavior without fix: trino://user:p[a]ss@host:8080/c/sValueError: Invalid IPv6 URL
  • With fix: user user, password p[a]ss; IPv6 host ::1 still parses when bracketed.

License

core/wren/** only (Apache-2.0).

Summary by CodeRabbit

  • Bug Fixes
    • Improved Trino connection URL parsing for more reliable extraction of user credentials and path components.
    • Added safer handling for raw bracket characters ([/]) in the userinfo portion to prevent URL parsing failures.
    • Enhanced percent-decoding for user, password, catalog, and schema values while keeping existing host/port behavior.
    • Preserved literal + characters in userinfo fields and added coverage for additional edge cases via new unit tests.

Raw '[' / ']' in trino:// credentials raise ValueError from urlparse's
IPv6 netloc check. Escape only the userinfo segment (preserving real
IPv6 hosts), then unquote username/password/catalog/schema so both the
escaped brackets and ordinary percent-encoded reserved characters land
as the intended strings. unquote (not unquote_plus) keeps literal '+'.
@github-actions github-actions Bot added python Pull requests that update Python code core labels Jul 9, 2026
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b8e202f4-1bdb-48a5-ada8-e4d84822a99d

📥 Commits

Reviewing files that changed from the base of the PR and between 7bc6330 and 526fdf5.

📒 Files selected for processing (1)
  • core/wren/src/wren/connector/trino.py
💤 Files with no reviewable changes (1)
  • core/wren/src/wren/connector/trino.py

Walkthrough

The Trino connector now escapes brackets in userinfo before parsing URLs and unquotes parsed user, password, catalog, and schema values. New tests cover bracketed passwords, IPv6 hosts, percent-decoding, and literal + preservation.

Changes

Trino URL Parsing Fix

Layer / File(s) Summary
URL parsing and decoding
core/wren/src/wren/connector/trino.py
Adds unquote import, introduces _parse_trino_connection_url to escape [/] in userinfo before urlparse, and unquotes user, catalog, schema, and _password in the resulting connection kwargs.
Regression tests
core/wren/tests/connectors/test_trino.py
Adds tests for bracketed passwords with IPv6 hosts, percent-decoding of credentials and path identifiers, and preservation of literal + in userinfo fields.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: goldmedal

Poem

A rabbit hopped through brackets bright,
Then unquoted creds just right,
%40 faded from the trail,
IPv6 held steady in the mail,
Hop, decode, and test — delight! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main Trino URL parsing fix and matches the code changes.
Linked Issues check ✅ Passed The PR decodes username, password, catalog, and schema with unquote() and preserves '+' as required by #2435.
Out of Scope Changes check ✅ Passed The bracket sanitization helper is tied to the Trino URL parsing fix and does not introduce unrelated scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant