Skip to content

Fix RequestValidator URL encoding preservation during port manipulation #901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Fix RequestValidator URL encoding preservation during port manipulation #901

wants to merge 3 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 18, 2025
edited
Loading

The RequestValidator.validate method was incorrectly decoding URL-encoded characters when manipulating ports, causing validation failures for URLs with encoded query parameters, paths, or user info.

Problem

When validating URLs with ports, the updatePort method was using decoded URI components (getPath(), getQuery(), getFragment(), getUserInfo()), which automatically decoded URL-encoded characters. This caused URLs like:

https://someurl.com:443/somepath?param1=client%3AAnonymous

to be incorrectly converted to:

https://someurl.com/somepath?param1=client:Anonymous

This resulted in different signature validation for equivalent URLs with and without explicit ports.

Solution

Updated the updatePort method to use raw URI components that preserve original encoding:

  • getUserInfo()getRawUserInfo()
  • getPath()getRawPath()
  • getQuery()getRawQuery()
  • getFragment()getRawFragment()

The method now manually constructs URLs using a StringBuilder to avoid the automatic encoding performed by the URI constructor.

Testing

  • All existing tests continue to pass (12/12)
  • Added testValidatePreservesUrlEncodingInQuery to prevent regression
  • Verified the original issue example now works correctly
  • Tested edge cases including encoded userinfo, fragments, and multiple encoded characters

Example that now works correctly:

String url1 = "https://someurl.com/somepath?param1=client%3AAnonymous";
String url2 = "https://someurl.com:443/somepath?param1=client%3AAnonymous";
String signature = "PM+bjB+ITJ9a3LIYStKWOTMZMlU=";
RequestValidator r = new RequestValidator("1234567890");

// Both now return true
r.validate(url1, new HashMap<>(), signature); // true
r.validate(url2, new HashMap<>(), signature); // true

Fixes #601.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented Sep 18, 2025

@manisha1997 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

@Copilot Copilot AI changed the title [WIP] RequestValidator.validate incorrectly decodes query string when removing port Fix RequestValidator URL encoding preservation during port manipulation Sep 18, 2025
@Copilot Copilot AI requested a review from manisha1997 September 18, 2025 11:12
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
75.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manisha1997 manisha1997 Awaiting requested review from manisha1997

At least 1 approving review is required to merge this pull request.

Assignees

@manisha1997 manisha1997

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RequestValidator.validate incorrectly decodes query string when removing port

2 participants

@Copilot @manisha1997