From a73f0bea5cd225c2901dc6a2cf2a4a0c9e007fec Mon Sep 17 00:00:00 2001
From: Markus Hintersteiner <markus.hintersteiner@sentry.io>
Date: Fri, 10 Nov 2023 08:02:00 +0100
Subject: [PATCH] Ensure DSN uses http/https protocol (#3044)

Co-authored-by: Roman Zavarnitsyn <rom4ek93@gmail.com>
---
 CHANGELOG.md                              |  4 ++++
 sentry/src/main/java/io/sentry/Dsn.java   | 15 +++++++--------
 sentry/src/test/java/io/sentry/DsnTest.kt | 15 +++++++++++++++
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ead93ea646..296b80c8ed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Fixes
+
+- Ensure DSN uses http/https protocol ([#3044](https://github.com/getsentry/sentry-java/pull/3044))
+
 ### Features
 
 - Add current activity name to app context ([#2999](https://github.com/getsentry/sentry-java/pull/2999))
diff --git a/sentry/src/main/java/io/sentry/Dsn.java b/sentry/src/main/java/io/sentry/Dsn.java
index abb1513841..836e2c5546 100644
--- a/sentry/src/main/java/io/sentry/Dsn.java
+++ b/sentry/src/main/java/io/sentry/Dsn.java
@@ -51,7 +51,12 @@ URI getSentryUri() {
   Dsn(@Nullable String dsn) throws IllegalArgumentException {
     try {
       Objects.requireNonNull(dsn, "The DSN is required.");
-      URI uri = new URI(dsn).normalize();
+      final URI uri = new URI(dsn).normalize();
+      final String scheme = uri.getScheme();
+      if (!("http".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(scheme))) {
+        throw new IllegalArgumentException("Invalid DSN scheme: " + scheme);
+      }
+
       String userInfo = uri.getUserInfo();
       if (userInfo == null || userInfo.isEmpty()) {
         throw new IllegalArgumentException("Invalid DSN: No public key provided.");
@@ -78,13 +83,7 @@ URI getSentryUri() {
       }
       sentryUri =
           new URI(
-              uri.getScheme(),
-              null,
-              uri.getHost(),
-              uri.getPort(),
-              path + "api/" + projectId,
-              null,
-              null);
+              scheme, null, uri.getHost(), uri.getPort(), path + "api/" + projectId, null, null);
     } catch (Throwable e) {
       throw new IllegalArgumentException(e);
     }
diff --git a/sentry/src/test/java/io/sentry/DsnTest.kt b/sentry/src/test/java/io/sentry/DsnTest.kt
index 5819d700d1..cdd9daa493 100644
--- a/sentry/src/test/java/io/sentry/DsnTest.kt
+++ b/sentry/src/test/java/io/sentry/DsnTest.kt
@@ -80,4 +80,19 @@ class DsnTest {
         val dsn = Dsn("http://key@host//id")
         assertEquals("http://host/api/id", dsn.sentryUri.toURL().toString())
     }
+
+    @Test
+    fun `non http protocols are not accepted`() {
+        assertFailsWith<IllegalArgumentException> { Dsn("ftp://publicKey:secretKey@host/path/id") }
+        assertFailsWith<IllegalArgumentException> { Dsn("jar://publicKey:secretKey@host/path/id") }
+    }
+
+    @Test
+    fun `both http and https protocols are accepted`() {
+        Dsn("http://publicKey:secretKey@host/path/id")
+        Dsn("https://publicKey:secretKey@host/path/id")
+
+        Dsn("HTTP://publicKey:secretKey@host/path/id")
+        Dsn("HTTPS://publicKey:secretKey@host/path/id")
+    }
 }