Testing From Trenches, Unexpected Percentage

TL;DR

This blog post describes a bad request issue with a search string that I found on the piaxabay service.

I use the Pixabay service to find an appropriate image for blog posts featured image. For blog post 100% Code Coverage Myths, I searched Pixabay with string 100 % and triggered error 400 bad requests from the above image. What is interesting is the string Cloudflare. In the previous blog post Testing From Trenches, Medium Sign Out Error, we learned that Cloudflare is:

Cloudflare was created to ease these difficulties and empower users with the resources to make their sites, apps, and blogs safe and performant. This is done through the use of a powerful edge network that provides content and other services as close to you as possible, so you get the information as fast as possible [source].

400 HTTP error code is:

The HyperText Transfer Protocol (HTTP) 400 Bad Request response status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing) [source].

Error is on client-side, in this case, Pixabay HTML form that sends GET request:

https://pixabay.com/images/search/%/

This request is routed through Cloudflare and causes 400 responses. We tried other special characters like:

/!^&$

and those did not trigger an error. % It is used in SQL query LIKE operator, and this could be a direction for further investigation.

Why is this an issue? Because Pixabay should return page search results, not generic Cloudflare error. This clearly indicates that % triggered unhandled exceptions on the server-side.

Originally published at https://blog.tentamen.eu on June 10, 2020.