Carsten Ziegeler created SLING-13162:
----------------------------------------
Summary: [Code Quality] High: The regex constant
PATH_PARAMETERS_REGEX contains a typo: '[a-zA-z0-9]' uses a lowercase 'z'
instead of uppercase 'Z'. The range 'A-z' in a character class spans ASCII
65–122, inadvertently matching six non-alphanumeric characters...
Key: SLING-13162
URL: https://issues.apache.org/jira/browse/SLING-13162
Project: Sling
Issue Type: Task
Components: API
Reporter: Carsten Ziegeler
## Maia Finding
- Report: Code Quality
- Severity: High
- Location: `src/main/java/org/apache/sling/api/uri/SlingUriBuilder.java:85`
- Report generated: 2026-04-04T13:16:04.601Z
- Model: claude-sonnet-4.6
### Description
The regex constant PATH_PARAMETERS_REGEX contains a typo: '[a-zA-z0-9]' uses a
lowercase 'z' instead of uppercase 'Z'. The range 'A-z' in a character class
spans ASCII 65–122, inadvertently matching six non-alphanumeric characters ([ \
] ^ _ `) between 'Z' (90) and 'a' (97). This means path parameter keys
containing those characters are silently accepted, potentially leading to
unexpected parsing behaviour.
### Recommendation
Change 'A-z' to 'A-Z' in PATH_PARAMETERS_REGEX:
";([a-zA-Z0-9]+)=(?:\'([^']*)\'|([^/]+))". Add a unit test that asserts keys
with characters such as '[' or '\' are rejected.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
