[GitHub] [sling-org-apache-sling-engine] rombert commented on a change in pull request #11: SLING-9741|Invalid path decomposition in case of multiple dots

Fri, 05 Feb 2021 02:17:24 -0800 


rombert commented on a change in pull request #11:
URL: 
https://github.com/apache/sling-org-apache-sling-engine/pull/11#discussion_r570228650



##########
File path: src/main/java/org/apache/sling/engine/impl/request/RequestData.java
##########
@@ -563,6 +570,21 @@ public static void service(SlingHttpServletRequest request,
         }
     }
 
+    protected static boolean isValidRequest(String path){
+        boolean isValidRequest = true;
+        if(path.contains("...")){ //invalid request
+            isValidRequest = false;
+        }else {
+            List<String> pathSplits = 
Arrays.asList(path.split(VALID_REQUEST_REGEX));

Review comment:
       This seems like a lot of work for a simple path check. I don't have 
data, but if we're running this for each request then we should be careful not 
to introduce performance regressions.
   
   IIUC the logic is 'two dots are valid valid if preeceded by a slash', right? 
I guess you could use a combination of `String.indexOf(str)` and 
`String.indexOf(str, index)` to get all double dots and check if they have a 
leading slash character.

##########
File path: src/main/java/org/apache/sling/engine/impl/request/RequestData.java
##########
@@ -522,7 +529,7 @@ public static void service(SlingHttpServletRequest request,
 
         RequestData requestData = RequestData.getRequestData(request);
         Servlet servlet = requestData.getContentData().getServlet();
-        if (servlet == null) {
+         if (servlet == null || !isValidRequest(request.getPathInfo())) {

Review comment:
       nit: whitespace change seems unneeded.

##########
File path: 
src/test/java/org/apache/sling/engine/impl/request/RequestDataTest.java
##########
@@ -129,4 +129,23 @@ public void testTooManyCallsOverride() throws Exception {
         }});
         assertTooManyCallsException(2);
     }
+
+    @Test
+    public void testConsecutiveDots() {
+        //HttpRequest with consecutive dots
+        boolean isValid = RequestData.isValidRequest("/path/content../test");

Review comment:
       Since this is a simple utility method please use test method for each 
scenario.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to