summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjonmv <venstad@gmail.com>2022-04-11 10:45:43 +0200
committerjonmv <venstad@gmail.com>2022-04-11 10:45:43 +0200
commite22b3ccb970ff6917322ec594496c2c2647a05db (patch)
treede6c9ce746bcf8d7c1c620a1e094b9d1717b49ca
parent11c97272cdc0459ee4b409d7cccb8f38ad908276 (diff)
Avoid segment validation in rule based filter
Diffstat
-rw-r--r--container-core/src/main/java/com/yahoo/restapi/Path.java5
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java2
-rw-r--r--jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java2
3 files changed, 7 insertions, 2 deletions
diff --git a/container-core/src/main/java/com/yahoo/restapi/Path.java b/container-core/src/main/java/com/yahoo/restapi/Path.java
index 80f9391fb56..01bcb627639 100644
--- a/container-core/src/main/java/com/yahoo/restapi/Path.java
+++ b/container-core/src/main/java/com/yahoo/restapi/Path.java
@@ -46,6 +46,11 @@ public class Path {
this.path = HttpURL.Path.parse(uri.getRawPath(), validator);
}
+ /** Create a new Path for matching the given URI against patterns, without any segment validation. */
+ public static Path withoutValidation(URI uri) {
+ return new Path(uri, __ -> { });
+ }
+
private boolean matchesInner(String pathSpec) {
values.clear();
List<String> specElements = HttpURL.Path.parse(pathSpec).segments();
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java
index fb384a3f980..88a241b8196 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java
@@ -118,7 +118,7 @@ public class RuleBasedRequestFilter extends JsonSecurityRequestFilterBase {
boolean methodMatches = methods.isEmpty() || methods.contains(method.toUpperCase());
String host = uri.getHost();
boolean hostnameMatches = hostnames.isEmpty() || (host != null && hostnames.contains(host));
- Path pathMatcher = new Path(uri);
+ Path pathMatcher = Path.withoutValidation(uri);
boolean pathMatches = pathGlobExpressions.isEmpty() || pathGlobExpressions.stream().anyMatch(pathMatcher::matches);
return methodMatches && hostnameMatches && pathMatches;
}
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java
index c4171ecd4d7..cfd0e80968f 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java
@@ -51,7 +51,7 @@ class RuleBasedRequestFilterTest {
Metric metric = mock(Metric.class);
RuleBasedRequestFilter filter = new RuleBasedRequestFilter(metric, config);
MockResponseHandler responseHandler = new MockResponseHandler();
- filter.filter(request("PATCH", "http://myserver:80/path-to-resource"), responseHandler);
+ filter.filter(request("PATCH", "http://myserver:80/path-to-resource%2F"), responseHandler);
assertAllowed(responseHandler, metric);