Blob SAS fails if query string contains URL-encoded value

Which service(blob, file, queue, table) does this issue concern?

blob (but may be applied to queue too)

Which version of the Azurite was used?

v3.5.0

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

DockerHub

What’s the Node.js version?

v10.19.0

What problem was encountered?

SAS authentification for blob fails if SAS contains URL-encoded strings (e.g. URL-encoded filename in Content-Disposition)

Steps to reproduce the issue?

I used python client for a minimal reproducible code,

import datetime
import urllib.parse

import requests
from azure.storage.blob.blockblobservice import BlockBlobService
from azure.storage.blob.models import BlobPermissions, ContentSettings

azure_blob_service = BlockBlobService(...)

name = 'te st.txt'
name_quoted = urllib.parse.quote(name)  # will result 'te%20st.txt'

# assume that the file is already uploaded in the blob storage

sas_token = azure_blob_service.generate_blob_shared_access_signature(
    'test',
    name,
    permission=BlobPermissions(read=True),
    content_disposition=f'inline; filename="{name_quoted}"',
    expiry=datetime.datetime(2030, 1, 1)
)

url = azure_blob_service.make_blob_url(
    'test',
    name_quoted,
    sas_token=sas_token
)

print(requests.get(url))
# In real Azure Blob Storage, this results 200 OK response,
# In Azurite, this results 403 Forbidden response.

Have you found a mitigation/solution?

I guess that in BlobSASAuthenticator.ts, query values (which are fetched from req.getQuery(...)) are already decoded by express and qs packages but this.decodeIfExist(...) function applies decodeURIComponent one more time, which results in different SAS signature values.

For example, contentDisposition value from rscd query key,

• expected : inline; filename="te%20st.txt"
• actual : inline; filename="te st.txt"