[
https://issues.apache.org/jira/browse/SLING-13162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler updated SLING-13162:
-------------------------------------
Description:
h2. Maia Finding
- Report: Code Quality
- Severity: High
- Location: `src/main/java/org/apache/sling/api/uri/SlingUriBuilder.java:85`
- Report generated: 2026-04-04T13:16:04.601Z
- Model: claude-sonnet-4.6
h2. Description
h3. The regex constant PATH_PARAMETERS_REGEX contains a typo: '[a-zA-z0-9]'
uses a lowercase 'z' instead of uppercase 'Z'. The range 'A-z' in a character
class spans ASCII 65–122, inadvertently matching six non-alphanumeric
characters ([ \ ] ^ _ `) between 'Z' (90) and 'a' (97). This means path
parameter keys containing those characters are silently accepted, potentially
leading to unexpected parsing behaviour.
h2. Recommendation
Change 'A-z' to 'A-Z' in PATH_PARAMETERS_REGEX:
";([a-zA-Z0-9]+)=(?:\'([^']*)\'|([^/]+))". Add a unit test that asserts keys
with characters such as '[' or '\' are rejected.
was:
## Maia Finding
- Report: Code Quality
- Severity: High
- Location: `src/main/java/org/apache/sling/api/uri/SlingUriBuilder.java:85`
- Report generated: 2026-04-04T13:16:04.601Z
- Model: claude-sonnet-4.6
### Description
The regex constant PATH_PARAMETERS_REGEX contains a typo: '[a-zA-z0-9]' uses a
lowercase 'z' instead of uppercase 'Z'. The range 'A-z' in a character class
spans ASCII 65–122, inadvertently matching six non-alphanumeric characters ([ \
] ^ _ `) between 'Z' (90) and 'a' (97). This means path parameter keys
containing those characters are silently accepted, potentially leading to
unexpected parsing behaviour.
### Recommendation
Change 'A-z' to 'A-Z' in PATH_PARAMETERS_REGEX:
";([a-zA-Z0-9]+)=(?:\'([^']*)\'|([^/]+))". Add a unit test that asserts keys
with characters such as '[' or '\' are rejected.
> [Code Quality] High: The regex constant PATH_PARAMETERS_REGEX contains a
> typo: '[a-zA-z0-9]' uses a lowercase 'z' instead of uppercase 'Z'. The range
> 'A-z' in a character class spans ASCII 65–122, inadvertently matching six
> non-alphanumeric characters...
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SLING-13162
> URL: https://issues.apache.org/jira/browse/SLING-13162
> Project: Sling
> Issue Type: Task
> Components: API
> Reporter: Carsten Ziegeler
> Priority: Major
>
> h2. Maia Finding
> - Report: Code Quality
> - Severity: High
> - Location: `src/main/java/org/apache/sling/api/uri/SlingUriBuilder.java:85`
> - Report generated: 2026-04-04T13:16:04.601Z
> - Model: claude-sonnet-4.6
> h2. Description
> h3. The regex constant PATH_PARAMETERS_REGEX contains a typo: '[a-zA-z0-9]'
> uses a lowercase 'z' instead of uppercase 'Z'. The range 'A-z' in a character
> class spans ASCII 65–122, inadvertently matching six non-alphanumeric
> characters ([ \ ] ^ _ `) between 'Z' (90) and 'a' (97). This means path
> parameter keys containing those characters are silently accepted, potentially
> leading to unexpected parsing behaviour.
> h2. Recommendation
> Change 'A-z' to 'A-Z' in PATH_PARAMETERS_REGEX:
> ";([a-zA-Z0-9]+)=(?:\'([^']*)\'|([^/]+))". Add a unit test that asserts keys
> with characters such as '[' or '\' are rejected.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
