summaryrefslogtreecommitdiffstats
path: root/jdisc-security-filters
diff options
context:
space:
mode:
Diffstat (limited to 'jdisc-security-filters')
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java5
-rw-r--r--jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java2
2 files changed, 4 insertions, 3 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java
index fb384a3f980..c5ec08e23cb 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilter.java
@@ -118,8 +118,9 @@ public class RuleBasedRequestFilter extends JsonSecurityRequestFilterBase {
boolean methodMatches = methods.isEmpty() || methods.contains(method.toUpperCase());
String host = uri.getHost();
boolean hostnameMatches = hostnames.isEmpty() || (host != null && hostnames.contains(host));
- Path pathMatcher = new Path(uri);
- boolean pathMatches = pathGlobExpressions.isEmpty() || pathGlobExpressions.stream().anyMatch(pathMatcher::matches);
+ // Path segments cannot be validated in this filter, as we don't know what API it protects.
+ // Specifically, /document/v1 must allow _any_ rest path segment, as there is no restriction on document IDs.
+ boolean pathMatches = pathGlobExpressions.isEmpty() || pathGlobExpressions.stream().anyMatch(Path.withoutValidation(uri)::matches);
return methodMatches && hostnameMatches && pathMatches;
}
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java
index c4171ecd4d7..cfd0e80968f 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/rule/RuleBasedRequestFilterTest.java
@@ -51,7 +51,7 @@ class RuleBasedRequestFilterTest {
Metric metric = mock(Metric.class);
RuleBasedRequestFilter filter = new RuleBasedRequestFilter(metric, config);
MockResponseHandler responseHandler = new MockResponseHandler();
- filter.filter(request("PATCH", "http://myserver:80/path-to-resource"), responseHandler);
+ filter.filter(request("PATCH", "http://myserver:80/path-to-resource%2F"), responseHandler);
assertAllowed(responseHandler, metric);