diff options
author | Jon Marius Venstad <jonmv@gmail.com> | 2022-04-06 13:13:33 +0200 |
---|---|---|
committer | Jon Marius Venstad <jonmv@gmail.com> | 2022-04-06 13:13:33 +0200 |
commit | 04ed009f4c08daf8d0ce0ac4380d96da1bfe4192 (patch) | |
tree | d67dd118c49c7469c509415fa3779d8972e50fe5 | |
parent | 51535b82b7b6e7516144980d424410615a026037 (diff) |
Disallow ? and # as well, in default path segment validator
-rw-r--r-- | container-core/src/main/java/com/yahoo/restapi/HttpURL.java | 8 | ||||
-rw-r--r-- | container-core/src/test/java/com/yahoo/restapi/HttpURLTest.java | 16 |
2 files changed, 21 insertions, 3 deletions
diff --git a/container-core/src/main/java/com/yahoo/restapi/HttpURL.java b/container-core/src/main/java/com/yahoo/restapi/HttpURL.java index c4cc575940d..9705b6f0e40 100644 --- a/container-core/src/main/java/com/yahoo/restapi/HttpURL.java +++ b/container-core/src/main/java/com/yahoo/restapi/HttpURL.java @@ -150,10 +150,12 @@ public class HttpURL { } } - /** Require that the given string (possibly decoded multiple times) contains no {@code '/'}, and isn't either of {@code "", ".", ".."}. */ + /** Require that the given string (possibly decoded multiple times) contains none of {@code '/', '?', '#'}, and isn't either of {@code "", ".", ".."}. */ public static String requirePathSegment(String value) { while ( ! value.equals(value = decode(value, UTF_8))); require( ! value.contains("/"), value, "path segment decoded cannot contain '/'"); + require( ! value.contains("?"), value, "path segment decoded cannot contain '?'"); + require( ! value.contains("#"), value, "path segment decoded cannot contain '#'"); return Path.requireNonNormalizable(value); } @@ -171,9 +173,9 @@ public class HttpURL { this.validator = requireNonNull(validator); } - /** Creates a new, empty path, with a trailing slash. */ + /** Creates a new, empty path, with a trailing slash, using {@link HttpURL#requirePathSegment} for segment validation. */ public static Path empty() { - return empty(__ -> { }); + return empty(HttpURL::requirePathSegment); } /** Creates a new, empty path, with a trailing slash, using the indicated validator for segments. */ diff --git a/container-core/src/test/java/com/yahoo/restapi/HttpURLTest.java b/container-core/src/test/java/com/yahoo/restapi/HttpURLTest.java index 4354f5ee3ea..05a218b0f04 100644 --- a/container-core/src/test/java/com/yahoo/restapi/HttpURLTest.java +++ b/container-core/src/test/java/com/yahoo/restapi/HttpURLTest.java @@ -139,6 +139,22 @@ class HttpURLTest { assertEquals("fromIndex(2) > toIndex(1)", assertThrows(IllegalArgumentException.class, () -> path.cut(2).skip(2)).getMessage()); + + assertEquals("path segment decoded cannot contain '/', but got: '/'", + assertThrows(IllegalArgumentException.class, + () -> HttpURL.Path.empty().append("%2525252525252525%2525252525253%25252532%252525%252534%36")).getMessage()); + + assertEquals("path segment decoded cannot contain '?', but got: '?'", + assertThrows(IllegalArgumentException.class, + () -> HttpURL.Path.empty().append("?")).getMessage()); + + assertEquals("path segment decoded cannot contain '#', but got: '#'", + assertThrows(IllegalArgumentException.class, + () -> HttpURL.Path.empty().append("#")).getMessage()); + + assertEquals("path segments cannot be \"\", \".\", or \"..\", but got: '..'", + assertThrows(IllegalArgumentException.class, + () -> HttpURL.Path.empty().append("%2E%25252E")).getMessage()); } @Test |