A URI with non-alpha characters in its scheme is not sanitized #27482
Conversation
As described in RFC2396 (https://datatracker.ietf.org/doc/html/rfc2396#section-3.1)
|
@billyto Please sign the Contributor License Agreement! Click here to manually synchronize the status of this Pull Request. See the FAQ for frequently asked questions. |
|
@billyto Thank you for signing the Contributor License Agreement! |
spring-projects-issues
added
the
status: waiting-for-triage
There was a problem hiding this comment.
Thanks very much for the pull request, @billyto. I left one comment regarding the updated regex. Could you please take a look when you have a moment?
| @@ -50,7 +50,7 @@ | |||
| private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>( | |||
| Arrays.asList("uri", "uris", "url", "urls", "address", "addresses")); | |||
|
|
|||
| private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("\\[?[A-Za-z]+://.+:(.*)@.+$"); | |||
| private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("^[A-Za-z][\\w\\+\\.\\-]+://.+:(.*)@.+$"); | |||
There was a problem hiding this comment.
\w includes _ which I don't think is correct here. Should it be A-Za-z0-9 instead?
There was a problem hiding this comment.
You are totally correct, good catch! Let me fix it in a couple of hours when getting back home.
wilkinsona
added
the
status: waiting-for-feedback
as \w includes underscore character "_"
wilkinsona
changed the title
wilkinsona
added
type: bug
|
Thanks very much for making your first contribution to Spring Boot, @billyto. |
The Sanitizer.java class infers that the scheme portion of a URI can only contain letters, but as described in RFC2396 it can follow:
scheme = alpha *( alpha | digit | "+" | "-" | "." )We have a use case where a valid URI with the scheme
mongodb+sr, won't get the password token sanitized due to the current regex pattern.