-
-
Notifications
You must be signed in to change notification settings - Fork 170
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix regular expression injection: Unsanitized input from an HTTP para…
…meter flows into replaceAll
- Loading branch information
Showing
1 changed file
with
13 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,27 +19,33 @@ | |
| */ | ||
| package org.restheart.utils; | ||
|
|
||
| import io.undertow.server.HttpServerExchange; | ||
| import java.io.UnsupportedEncodingException; | ||
| import java.net.URLDecoder; | ||
| import java.util.regex.Pattern; | ||
|
|
||
| import org.bson.BsonValue; | ||
| import org.restheart.exchange.UnsupportedDocumentIdException; | ||
|
|
||
| import io.undertow.server.HttpServerExchange; | ||
|
|
||
| /** | ||
| * | ||
| * @author Andrea Di Cesare {@literal <[email protected]>} | ||
| */ | ||
| public class URLUtils { | ||
|
|
||
| protected URLUtils() { | ||
| // protected constructor to hide the implicit public one | ||
| } | ||
|
|
||
| /** | ||
| * given string /ciao/this/has/trailings///// returns | ||
| * /ciao/this/has/trailings | ||
| * | ||
| * @param s | ||
| * @return the string s without the trailing slashes | ||
| */ | ||
| static public String removeTrailingSlashes(String s) { | ||
| public static String removeTrailingSlashes(String s) { | ||
| if (s == null) { | ||
| return null; | ||
| } | ||
|
|
@@ -63,7 +69,7 @@ static public String removeTrailingSlashes(String s) { | |
| * @param qs | ||
| * @return the undecoded string | ||
| */ | ||
| static public String decodeQueryString(String qs) { | ||
| public static String decodeQueryString(String qs) { | ||
| try { | ||
| return URLDecoder.decode(qs.replace("+", "%2B"), "UTF-8").replace("%2B", "+"); | ||
| } catch (UnsupportedEncodingException ex) { | ||
|
|
@@ -76,7 +82,7 @@ static public String decodeQueryString(String qs) { | |
| * @param path | ||
| * @return the parent path of path | ||
| */ | ||
| static public String getParentPath(String path) { | ||
| public static String getParentPath(String path) { | ||
| if (path == null || path.isEmpty() || path.equals("/")) { | ||
| return path; | ||
| } | ||
|
|
@@ -97,7 +103,7 @@ static public String getParentPath(String path) { | |
| * @param exchange | ||
| * @return the prefix url of the exchange | ||
| */ | ||
| static public String getPrefixUrl(HttpServerExchange exchange) { | ||
| public static String getPrefixUrl(HttpServerExchange exchange) { | ||
| return exchange.getRequestURL().replaceAll(exchange.getRelativePath(), ""); | ||
| } | ||
|
|
||
|
|
@@ -119,8 +125,8 @@ public static String getQueryStringRemovingParams(HttpServerExchange exchange, S | |
|
|
||
| if (values != null) { | ||
| for (String value : values) { | ||
| ret = ret.replaceAll(key + "=" + value + "&", ""); | ||
| ret = ret.replaceAll(key + "=" + value + "$", ""); | ||
| ret = ret.replaceAll(Pattern.quote(key + "=" + value + "&"), ""); | ||
| ret = ret.replaceAll(Pattern.quote(key + "=" + value + "$"), ""); | ||
| } | ||
| } | ||
| } | ||
|
|
||