Merge pull request from GHSA-wvp2-9ppw-337j

* Remove matrix variables from the path on the server-side
Motivation:
Spring supports [Matrix variables](https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html).
When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path
that may contain matrix variables.
In this situation, the Armeria decorators might not invoked because of the matrix variables.
Let's see the following example:
```
// Spring controller
@GetMapping("/important/resources")
public String important() {...}

// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);
```
If an attacker sends a request with `/important;a=b/resources`, the request would bypass the authrorizer
which is a significant security vulnerability.

Armeria neither supports it nor has any plans to support it. So we can just remove the matrix variables from the path and restore them when we call Spring controllers.

Modifications:
- Remove matrix varilbles from the server-side path.
  - The path is restored when calling Spring service using `RequestTarget.pathWithMatrixVariables()`.
- Do not decode `%3B` which is `;`.
- Add `it/boot3-jetty` module by Copying `it/boot3-tomcat`

Result:
- The decorators work correctly when the request path contains matrix varialbes.

* Update it/spring/boot3-jetty11/src/test/resources/application-testbed.yml

core/src/main/java/com/linecorp/armeria/common/AbstractRequestContextBuilder.java

@@ -142,13 +142,20 @@ protected AbstractRequestContextBuilder(boolean server, RpcRequest rpcReq, URI u
         sessionProtocol = getSessionProtocol(uri);
 
         if (server) {
-            reqTarget = DefaultRequestTarget.createWithoutValidation(
-                    RequestTargetForm.ORIGIN, null, null,
-                    uri.getRawPath(), uri.getRawQuery(), null);
+            String path = uri.getRawPath();
+            final String query = uri.getRawQuery();
+            if (query != null) {
+                path += '?' + query;
+            }
+            final RequestTarget reqTarget = RequestTarget.forServer(path);
+            if (reqTarget == null) {
+                throw new IllegalArgumentException("invalid uri: " + uri);
+            }
+            this.reqTarget = reqTarget;
         } else {
             reqTarget = DefaultRequestTarget.createWithoutValidation(
                     RequestTargetForm.ORIGIN, null, null,
-                    uri.getRawPath(), uri.getRawQuery(), uri.getRawFragment());
+                    uri.getRawPath(), uri.getRawPath(), uri.getRawQuery(), uri.getRawFragment());
         }
     }
 

core/src/main/java/com/linecorp/armeria/common/DefaultFlagsProvider.java

@@ -413,6 +413,11 @@ public Boolean allowDoubleDotsInQueryString() {
         return false;
     }
 
+    @Override
+    public Boolean allowSemicolonInPathComponent() {
+        return false;
+    }
+
     @Override
     public Path defaultMultipartUploadsLocation() {
         return Paths.get(System.getProperty("java.io.tmpdir") +

core/src/main/java/com/linecorp/armeria/common/Flags.java

@@ -375,6 +375,9 @@ private static boolean validateTransportType(TransportType transportType, String
     private static final boolean ALLOW_DOUBLE_DOTS_IN_QUERY_STRING =
             getValue(FlagsProvider::allowDoubleDotsInQueryString, "allowDoubleDotsInQueryString");
 
+    private static final boolean ALLOW_SEMICOLON_IN_PATH_COMPONENT =
+            getValue(FlagsProvider::allowSemicolonInPathComponent, "allowSemicolonInPathComponent");
+
     private static final Path DEFAULT_MULTIPART_UPLOADS_LOCATION =
             getValue(FlagsProvider::defaultMultipartUploadsLocation, "defaultMultipartUploadsLocation");
 
@@ -1340,6 +1343,27 @@ public static boolean allowDoubleDotsInQueryString() {
         return ALLOW_DOUBLE_DOTS_IN_QUERY_STRING;
     }
 
+    /**
+     * Returns whether to allow a semicolon ({@code ;}) in a request path component on the server-side.
+     * If disabled, the substring from the semicolon to before the next slash, commonly referred to as
+     * matrix variables, is removed. For example, {@code /foo;a=b/bar} will be converted to {@code /foo/bar}.
+     * Also, an exception is raised if a semicolon is used for binding a service. For example, the following
+     * code raises an exception:
+     * <pre>{@code
+     * Server server =
+     *    Server.builder()
+     *      .service("/foo;bar", ...)
+     *      .build();
+     * }</pre>
+     * Note that this flag has no effect on the client-side.
+     *
+     * <p>This flag is disabled by default. Specify the
+     * {@code -Dcom.linecorp.armeria.allowSemicolonInPathComponent=true} JVM option to enable it.
+     */
+    public static boolean allowSemicolonInPathComponent() {
+        return ALLOW_SEMICOLON_IN_PATH_COMPONENT;
+    }
+
     /**
      * Returns the {@link Sampler} that determines whether to trace the stack trace of request contexts leaks
      * and how frequently to keeps stack trace. A sampled exception will have the stack trace while the others

core/src/main/java/com/linecorp/armeria/common/FlagsProvider.java

@@ -984,6 +984,28 @@ default Boolean allowDoubleDotsInQueryString() {
         return null;
     }
 
+    /**
+     * Returns whether to allow a semicolon ({@code ;}) in a request path component on the server-side.
+     * If disabled, the substring from the semicolon to before the next slash, commonly referred to as
+     * matrix variables, is removed. For example, {@code /foo;a=b/bar} will be converted to {@code /foo/bar}.
+     * Also, an exception is raised if a semicolon is used for binding a service. For example, the following
+     * code raises an exception:
+     * <pre>{@code
+     * Server server =
+     *    Server.builder()
+     *      .service("/foo;bar", ...)
+     *      .build();
+     * }</pre>
+     * Note that this flag has no effect on the client-side.
+     *
+     * <p>This flag is disabled by default. Specify the
+     * {@code -Dcom.linecorp.armeria.allowSemicolonInPathComponent=true} JVM option to enable it.
+     */
+    @Nullable
+    default Boolean allowSemicolonInPathComponent() {
+        return null;
+    }
+
     /**
      * Returns the {@link Path} that is used to store the files uploaded from {@code multipart/form-data}
      * requests.

core/src/main/java/com/linecorp/armeria/common/RequestTarget.java

@@ -44,7 +44,8 @@ public interface RequestTarget {
     @Nullable
     static RequestTarget forServer(String reqTarget) {
         requireNonNull(reqTarget, "reqTarget");
-        return DefaultRequestTarget.forServer(reqTarget, Flags.allowDoubleDotsInQueryString());
+        return DefaultRequestTarget.forServer(reqTarget, Flags.allowSemicolonInPathComponent(),
+                                              Flags.allowDoubleDotsInQueryString());
     }
 
     /**
@@ -102,6 +103,16 @@ static RequestTarget forClient(String reqTarget, @Nullable String prefix) {
      */
     String path();
 
+    /**
+     * Returns the path of this {@link RequestTarget}, which always starts with {@code '/'}.
+     * Unlike {@link #path()}, the returned string contains matrix variables it the original request path
+     * contains them.
+     *
+     * @see <a href="https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html">
+     *      Matrix Variables</a>
+     */
+    String maybePathWithMatrixVariables();
+
     /**
      * Returns the query of this {@link RequestTarget}.
      */

core/src/main/java/com/linecorp/armeria/common/SystemPropertyFlagsProvider.java

@@ -435,6 +435,11 @@ public Boolean allowDoubleDotsInQueryString() {
         return getBoolean("allowDoubleDotsInQueryString");
     }
 
+    @Override
+    public Boolean allowSemicolonInPathComponent() {
+        return getBoolean("allowSemicolonInPathComponent");
+    }
+
     @Override
     public Path defaultMultipartUploadsLocation() {
         return getAndParse("defaultMultipartUploadsLocation", Paths::get);