From 210d00d31f82748044a84983df6adcb6076adb5c Mon Sep 17 00:00:00 2001
From: Maurizio Turatti <maurizio@softinstigate.com>
Date: Mon, 26 Aug 2024 11:28:34 +0200
Subject: [PATCH] Fix regular expression injection: Unsanitized input from an
 HTTP parameter flows into replaceAll

---
 .../java/org/restheart/utils/URLUtils.java    | 20 ++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/commons/src/main/java/org/restheart/utils/URLUtils.java b/commons/src/main/java/org/restheart/utils/URLUtils.java
index 4ece7685e..490d461b5 100644
--- a/commons/src/main/java/org/restheart/utils/URLUtils.java
+++ b/commons/src/main/java/org/restheart/utils/URLUtils.java
@@ -19,19 +19,25 @@
  */
 package org.restheart.utils;
 
-import io.undertow.server.HttpServerExchange;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
+import java.util.regex.Pattern;
 
 import org.bson.BsonValue;
 import org.restheart.exchange.UnsupportedDocumentIdException;
 
+import io.undertow.server.HttpServerExchange;
+
 /**
  *
  * @author Andrea Di Cesare {@literal <andrea@softinstigate.com>}
  */
 public class URLUtils {
 
+    protected URLUtils() {
+        // protected constructor to hide the implicit public one
+    }
+
     /**
      * given string /ciao/this/has/trailings///// returns
      * /ciao/this/has/trailings
@@ -39,7 +45,7 @@ public class URLUtils {
      * @param s
      * @return the string s without the trailing slashes
      */
-    static public String removeTrailingSlashes(String s) {
+    public static String removeTrailingSlashes(String s) {
         if (s == null) {
             return null;
         }
@@ -63,7 +69,7 @@ static public String removeTrailingSlashes(String s) {
      * @param qs
      * @return the undecoded string
      */
-    static public String decodeQueryString(String qs) {
+    public static String decodeQueryString(String qs) {
         try {
             return URLDecoder.decode(qs.replace("+", "%2B"), "UTF-8").replace("%2B", "+");
         } catch (UnsupportedEncodingException ex) {
@@ -76,7 +82,7 @@ static public String decodeQueryString(String qs) {
      * @param path
      * @return the parent path of path
      */
-    static public String getParentPath(String path) {
+    public static String getParentPath(String path) {
         if (path == null || path.isEmpty() || path.equals("/")) {
             return path;
         }
@@ -97,7 +103,7 @@ static public String getParentPath(String path) {
      * @param exchange
      * @return the prefix url of the exchange
      */
-    static public String getPrefixUrl(HttpServerExchange exchange) {
+    public static String getPrefixUrl(HttpServerExchange exchange) {
         return exchange.getRequestURL().replaceAll(exchange.getRelativePath(), "");
     }
 
@@ -119,8 +125,8 @@ public static String getQueryStringRemovingParams(HttpServerExchange exchange, S
 
             if (values != null) {
                 for (String value : values) {
-                    ret = ret.replaceAll(key + "=" + value + "&", "");
-                    ret = ret.replaceAll(key + "=" + value + "$", "");
+                    ret = ret.replaceAll(Pattern.quote(key + "=" + value + "&"), "");
+                    ret = ret.replaceAll(Pattern.quote(key + "=" + value + "$"), "");
                 }
             }
         }