Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve URI/query strings sanitization #26012

Merged
merged 1 commit into from
Nov 4, 2020
Merged

Improve URI/query strings sanitization #26012

merged 1 commit into from
Nov 4, 2020

Conversation

stsypanov
Copy link
Contributor

Use StringBuilder.deleteCharAt(int) and StringBuilder.delete(int, int) to handle sanitization more effectively

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Nov 2, 2020
@jhoeller jhoeller self-assigned this Nov 2, 2020
@jhoeller jhoeller added in: data Issues in data modules (jdbc, orm, oxm, tx) in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Nov 2, 2020
@jhoeller jhoeller added this to the 5.3.1 milestone Nov 2, 2020
@stsypanov stsypanov force-pushed the use-sb branch 2 times, most recently from 146f783 to 85131d2 Compare November 2, 2020 14:33
rstoyanchev
rstoyanchev reviewed Nov 3, 2020
View reviewed changes
Copy link
Contributor

@rstoyanchev rstoyanchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine as far as I UriComponentsBuilder and UrlPathHelper are concerned.

Very minor, I would say getSanitizedPath and doubleToSingleSlash can be combined into one method. Also the same identical method could be created in UriComponentsBuilder. When there is identical logic it's useful to make it look as identical as possible.

@stsypanov
Copy link
Contributor Author

@rstoyanchev done.

I've also measured performance impact with simple benchmark

@BenchmarkMode(Mode.AverageTime)
@OutputTimeUnit(TimeUnit.NANOSECONDS)
@Fork(jvmArgsAppend = {"-Xms2g", "-Xmx2g"})
public class DropDoubleSlashBenchmark {

  @Benchmark
  public String ineffective(Data data) {
    String path = data.path;
    while (true) {
      int index = path.indexOf("//");
      if (index == -1) {
        break;
      }
      path = path.substring(0, index) + path.substring(index + 1);
    }
    return path;
  }

  @Benchmark
  public String effective(Data data) {
    StringBuilder path = new StringBuilder(data.path);
    while (true) {
      int index = path.indexOf("//");
      if (index == -1) {
        break;
      }
      path.deleteCharAt(index);
    }
    return path.toString();
  }

  @State(Scope.Thread)
  public static class Data {
    private final String path = "/home/" + "/path";
  }
}

and got the following results on my machine

JDK 8

effective                          avgt    47.882 ±   1.801   ns/op
ineffective                        avgt    51.620 ±   0.907   ns/op
effective:·gc.alloc.rate.norm      avgt   136.000 ±   0.001    B/op
ineffective:·gc.alloc.rate.norm    avgt   224.000 ±   0.001    B/op

JDK 11

effective                          avgt    33.949 ±   0.188   ns/op
ineffective                        avgt    47.735 ±   0.519   ns/op
effective:·gc.alloc.rate.norm      avgt   104.000 ±   0.001    B/op
ineffective:·gc.alloc.rate.norm    avgt   152.000 ±   0.001    B/op

On longer strings I think we'll have even better improvement.

rstoyanchev
rstoyanchev approved these changes Nov 3, 2020
View reviewed changes
Copy link
Contributor

@rstoyanchev rstoyanchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@jhoeller jhoeller merged commit 0015fd6 into spring-projects:master Nov 4, 2020
@stsypanov stsypanov deleted the use-sb branch November 4, 2020 15:32
jhoeller added a commit that referenced this pull request Nov 4, 2020
@jhoeller
Restore removal of trailing semicolon content
990a9c7 
See gh-26012
@jhoeller jhoeller mentioned this pull request Nov 9, 2020
Merged
@sync-by-unito sync-by-unito bot mentioned this pull request Nov 11, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rstoyanchev rstoyanchev rstoyanchev approved these changes

@jhoeller jhoeller Awaiting requested review from jhoeller

Assignees

@jhoeller jhoeller

Labels
in: data Issues in data modules (jdbc, orm, oxm, tx) in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
5.3.1
Development

Successfully merging this pull request may close these issues.
4 participants
@stsypanov @rstoyanchev @jhoeller @spring-projects-issues