[
https://issues.apache.org/jira/browse/SLING-13162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18073401#comment-18073401
]
Carsten Ziegeler commented on SLING-13162:
------------------------------------------
[~ghenzler] Is this a typo or done on purpose to include the extra characters?
> [Code Quality] High: The regex constant PATH_PARAMETERS_REGEX contains a typo
> -----------------------------------------------------------------------------
>
> Key: SLING-13162
> URL: https://issues.apache.org/jira/browse/SLING-13162
> Project: Sling
> Issue Type: Task
> Components: API
> Reporter: Carsten Ziegeler
> Priority: Major
>
> h2. Maia Finding
> - Report: Code Quality
> - Severity: High
> - Location: `src/main/java/org/apache/sling/api/uri/SlingUriBuilder.java:85`
> - Report generated: 2026-04-04T13:16:04.601Z
> - Model: claude-sonnet-4.6
> h2. Description
> The regex constant PATH_PARAMETERS_REGEX contains a typo: '[a-zA-z0-9]' uses
> a lowercase 'z' instead of uppercase 'Z'. The range 'A-z' in a character
> class spans ASCII 65–122, inadvertently matching six non-alphanumeric
> characters ([ \ ] ^ _ `) between 'Z' (90) and 'a' (97). This means path
> parameter keys containing those characters are silently accepted, potentially
> leading to unexpected parsing behaviour.
> h2. Recommendation
> Change 'A-z' to 'A-Z' in PATH_PARAMETERS_REGEX:
> ";([a-zA-Z0-9]+)=(?:\'([^']*)\'|([^/]+))". Add a unit test that asserts keys
> with characters such as '[' or '\' are rejected.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
