Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prevent passing bad character to dev-server #11099

Merged
merged 2 commits into from
May 31, 2021
Merged

fix: prevent passing bad character to dev-server #11099

merged 2 commits into from
May 31, 2021

Conversation

pleku
Copy link
Contributor

@pleku pleku commented May 27, 2021

The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.

@pleku pleku requested a review from caalador May 27, 2021 18:02
@pleku
fix: prevent passing bad character to dev-server
2a801c4 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
@pleku pleku requested a review from caalador May 28, 2021 09:56
caalador
caalador reviewed May 28, 2021
View reviewed changes
Copy link
Contributor

@caalador caalador left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just needs running formatter:format

@pleku pleku requested a review from caalador May 28, 2021 11:51
@pleku
Copy link
Contributor Author

pleku commented May 28, 2021

Formatter run and hopefully ccdm tests pass this time too

@vaadin-bot
Copy link
Collaborator

SonarQube analysis reported 7 issues

  1. MAJOR HandlerHelper.java#L408: Define and throw a dedicated exception instead of using a generic one. rule
  2. MAJOR DevModeHandlerImpl.java#L1: Class com.vaadin.base.devserver.DevModeHandlerImpl defines non-transient non-serializable instance field devServerStartFuture rule
  3. MAJOR DevModeHandlerImpl.java#L157: Make "devServerStartFuture" transient or serializable. rule
  4. MAJOR DevModeHandlerImpl.java#L249: Null passed for non-null parameter of java.util.concurrent.CompletableFuture.getNow(Object) in com.vaadin.base.devserver.DevModeHandlerImpl.handleRequest(VaadinSession, VaadinRequest, VaadinResponse) rule
  5. MAJOR DevModeHandlerImpl.java#L581: Remove this unused private "checkPort" method. rule
  6. MAJOR DevModeHandlerImpl.java#L718: Either re-interrupt this method or rethrow the "InterruptedException". rule
  7. INFO HandlerHelper.java#L420: Public static com.vaadin.flow.server.HandlerHelper.getPublicResources() may expose internal representation by returning HandlerHelper.publicResources rule

@caalador caalador merged commit f18ea9a into master May 31, 2021
@caalador caalador deleted the fix/illegal-char branch May 31, 2021 05:50
@vaadin-bot
Copy link
Collaborator

Hi @pleku , this commit cannot be picked to 7.0 by this bot, can you take a look and pick it manually?
Error Message: Error: Command failed: git cherry-pick f18ea9a
error: could not apply f18ea9a... fix: prevent passing bad character to dev-server (#11099)
hint: after resolving the conflicts, mark the corrected paths
hint: with 'git add ' or 'git rm '
hint: and commit the result with 'git commit'

@vaadin-bot
Copy link
Collaborator

Hi @pleku , this commit cannot be picked to 6.0 by this bot, can you take a look and pick it manually?
Error Message: Error: Command failed: git cherry-pick f18ea9a
error: could not apply f18ea9a... fix: prevent passing bad character to dev-server (#11099)
hint: after resolving the conflicts, mark the corrected paths
hint: with 'git add ' or 'git rm '
hint: and commit the result with 'git commit'

@vaadin-bot
Copy link
Collaborator

Hi @pleku , this commit cannot be picked to 2.7 by this bot, can you take a look and pick it manually?
Error Message: Error: Command failed: git cherry-pick f18ea9a
error: could not apply f18ea9a... fix: prevent passing bad character to dev-server (#11099)
hint: after resolving the conflicts, mark the corrected paths
hint: with 'git add ' or 'git rm '
hint: and commit the result with 'git commit'

@vaadin-bot
Copy link
Collaborator

Hi @pleku , this commit cannot be picked to 2.6 by this bot, can you take a look and pick it manually?
Error Message: Error: Command failed: git cherry-pick f18ea9a
error: could not apply f18ea9a... fix: prevent passing bad character to dev-server (#11099)
hint: after resolving the conflicts, mark the corrected paths
hint: with 'git add ' or 'git rm '
hint: and commit the result with 'git commit'

pleku added a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099)
c6d702a 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
pleku added a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099)
ecae31c 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
pleku added a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099)
ee71a2a 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
pleku added a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099)
d0044ff 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
fluorumlabs
fluorumlabs reviewed May 31, 2021
View reviewed changes
Copy link
Contributor

@fluorumlabs fluorumlabs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Denylisting is generally a bad approach for dealing with incorrect inputs

vaadin-dev-server/src/main/java/com/vaadin/base/devserver/DevModeHandlerImpl.java
@@ -393,6 +398,7 @@ private boolean checkWebpackConnection() {
@Override
public HttpURLConnection prepareConnection(String path, String method)
throws IOException {
// path should have been checked at this point for any outside requests
URL uri = new URL(WEBPACK_HOST + ":" + getPort() + path);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to JavaDoc, the recommended way of dealing with encoding is to use new URI(...).toURL():

Note, the java.net.URI class does perform escaping of its
component fields in certain circumstances. The recommended way
to manage the encoding and decoding of URLs is to use java.net.URI,
and to convert between these two classes using toURI() and
toURL().

Copy link
Contributor Author

@pleku pleku May 31, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would make sense, yes. But the code needs more cleanup to be able to do this properly.
#11117

@pleku pleku mentioned this pull request May 31, 2021
Open
pleku added a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099)
afb36c5 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
pleku added a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099)
7ac67cb 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
caalador pushed a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099) (#11116)
ca12a54 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
caalador pushed a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099) (#11114)
e3d2a74 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
caalador pushed a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099) (#11115)
b462b37 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
caalador pushed a commit that referenced this pull request May 31, 2021
@pleku
fix: prevent passing bad character to wp (#11099) (#11113)
de94968 
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.
@vaadin-bot
Copy link
Collaborator

This ticket/PR has been released with platform 21.0.0.alpha3. For prerelease versions, it will be included in its final version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fluorumlabs fluorumlabs fluorumlabs left review comments

@caalador caalador caalador approved these changes

Assignees
No one assigned
Labels
cherry-picked-2.7 cherry-picked-6.0 cherry-picked-7.0 prerelease version for platform 21.0.0 Released with Platform 21.0.0.alpha3 +0.0.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pleku @vaadin-bot @caalador @fluorumlabs