Disable '?' as single char wildcard for URI matching

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-12-09 16:56:04 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-12-09 16:56:04 +0100
commit: 286d3cb295bcb06e4bd051050e97b45b70c028f8 (patch)
tree: d5ceeae083a94f49760c9b9a04b370e796590d66 /security-utils/src
parent: 800c53c580717f7f1d8bcc02d31235ac6d3673d2 (diff)
5 files changed, 9 insertions, 7 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java
index 30d4186f8a5..46a38a77844 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java
@@ -15,10 +15,10 @@ class GlobPattern {
     private final char[] boundaries;
     private final Pattern regexPattern;
 
-    GlobPattern(String pattern, char[] boundaries) {
+    GlobPattern(String pattern, char[] boundaries, boolean enableSingleCharWildcard) {
         this.pattern = pattern;
         this.boundaries = boundaries;
-        this.regexPattern = toRegexPattern(pattern, boundaries);
+        this.regexPattern = toRegexPattern(pattern, boundaries, enableSingleCharWildcard);
     }
 
     boolean matches(String value) { return regexPattern.matcher(value).matches(); }
@@ -27,12 +27,12 @@ class GlobPattern {
     Pattern regexPattern() { return regexPattern; }
     char[] boundaries() { return boundaries; }
 
-    private static Pattern toRegexPattern(String pattern, char[] boundaries) {
+    private static Pattern toRegexPattern(String pattern, char[] boundaries, boolean enableSingleCharWildcard) {
         StringBuilder builder = new StringBuilder("^");
         StringBuilder precedingCharactersToQuote = new StringBuilder();
         char[] chars = pattern.toCharArray();
         for (char c : chars) {
-            if (c == '?' || c == '*') {
+            if ((enableSingleCharWildcard && c == '?') || c == '*') {
                 builder.append(quotePrecedingLiteralsAndReset(precedingCharactersToQuote));
                 // Note: we explicitly stop matching at a separator boundary.
                 // This is to make matching less vulnerable to dirty tricks (e.g dot as boundary for hostnames).
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java
index d59052a48ef..cb9ba13cae4 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java
@@ -11,7 +11,7 @@ class HostGlobPattern implements RequiredPeerCredential.Pattern {
     private final GlobPattern globPattern;
 
     HostGlobPattern(String pattern) {
-        this.globPattern = new GlobPattern(pattern, new char[] {'.'});
+        this.globPattern = new GlobPattern(pattern, new char[] {'.'}, true);
     }
 
     @Override
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java
index 006ca83a403..b2cc0688bb9 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/UriGlobPattern.java
@@ -13,7 +13,7 @@ class UriGlobPattern implements RequiredPeerCredential.Pattern {
     private final GlobPattern globPattern;
 
     UriGlobPattern(String globPattern) {
-        this.globPattern = new GlobPattern(globPattern, new char[] {'/'});
+        this.globPattern = new GlobPattern(globPattern, new char[] {'/'}, false);
     }
 
     @Override public String asString() { return globPattern.asString(); }
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java
index b7f4b6b9c46..4350aa2b0a9 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java
@@ -100,7 +100,7 @@ class GlobPatternTest {
     }
 
     private static GlobPattern globPattern(String pattern, String boundaries) {
-        return new GlobPattern(pattern, boundaries.toCharArray());
+        return new GlobPattern(pattern, boundaries.toCharArray(), true);
     }
 
 }
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java
index d598fbe1b84..c60c782da14 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/policy/UriGlobPatternTest.java
@@ -20,6 +20,8 @@ class UriGlobPatternTest {
         assertMatches("scheme://*/segment1/segment2", "scheme://hostname/segment1/segment2");
         assertMatches("scheme://*.name/", "scheme://host.name/");
         assertNotMatches("scheme://*", "scheme://hostname/");
+        assertMatches("scheme://hostname/mypath?query=value", "scheme://hostname/mypath?query=value");
+        assertNotMatches("scheme://hostname/?", "scheme://hostname/p");
     }
 
     private void assertMatches(String pattern, String value) {
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-12-09 16:56:04 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-12-09 16:56:04 +0100
commit	286d3cb295bcb06e4bd051050e97b45b70c028f8 (patch)
tree	d5ceeae083a94f49760c9b9a04b370e796590d66 /security-utils/src
parent	800c53c580717f7f1d8bcc02d31235ac6d3673d2 (diff)