Security: Missing input validation for repository names and URLs

[sfloess]

Security Issue - HIGH Priority

Description

The NexusClient and Credentials classes do not validate or sanitize repository names and URLs before constructing HTTP requests. This could lead to URL injection attacks or malformed requests.

Locations

1. src/main/java/org/flossware/jnexus/NexusClient.java lines 157-163
2. src/main/java/org/flossware/jnexus/Credentials.java line 156

Evidence

// No validation of repository parameter
String url = baseUrl + "/service/rest/v1/components?repository=" + repository;

// No URL format validation
if (url == null || url.isBlank()) {
    throw new IllegalStateException("Nexus URL not configured...");
}

Security Impact

• Potential for URL injection attacks
• Malformed URLs could cause unexpected behavior
• No sanitization of user input before HTTP requests
• Could expose internal network information

Attack Scenarios

1. Repository name with special characters: repo&malicious=param
2. Repository name with path traversal: ../../admin
3. Invalid URL formats leading to crashes or information disclosure

Recommendations

1. Validate repository names against allowed character set (alphanumeric, dash, underscore)
2. Validate URL format using URI parsing
3. URL-encode repository names before concatenation
4. Add input sanitization at service layer
5. Reject URLs with suspicious patterns

Implementation

private void validateRepository(String repository) {
    if (repository == null || repository.isBlank()) {
        throw new IllegalArgumentException("Repository cannot be null or blank");
    }
    if (!repository.matches("[a-zA-Z0-9_-]+")) {
        throw new IllegalArgumentException("Repository contains invalid characters");
    }
}

private void validateUrl(String url) {
    try {
        URI uri = URI.create(url);
        if (!uri.getScheme().equals("https") && !uri.getScheme().equals("http")) {
            throw new IllegalArgumentException("URL must use HTTP or HTTPS");
        }
    } catch (Exception e) {
        throw new IllegalArgumentException("Invalid URL format", e);
    }
}

[sfloess]

Fixed in commit e4a530f: test: Add comprehensive security integration tests

Input validation is fully implemented:

Repository Name Validation (Credentials.validateRepository()):

• Validates repository names against alphanumeric + dots, hyphens, underscores
• Prevents path traversal attacks (../, ..)
• Prevents leading/trailing special characters
• Throws IllegalArgumentException on invalid input

URL Validation (Credentials.validateUrl()):

• Validates URL format using URI parsing
• Enforces http:// or https:// schemes only
• Validates hostname presence
• Warns about insecure HTTP usage
• Throws IllegalArgumentException on invalid URLs

Coverage:

• 24 security integration tests in NexusClientSecurityTest.java
• Tests path traversal, special characters, invalid protocols
• Tests URL encoding and sanitization
• All edge cases covered