-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: prevent passing bad character to dev-server #11099
Conversation
flow-server/src/main/java/com/vaadin/flow/server/HandlerHelper.java
Outdated
Show resolved
Hide resolved
flow-server/src/main/java/com/vaadin/flow/server/HandlerHelper.java
Outdated
Show resolved
Hide resolved
The webpack dev-server does not escape " character, as it is not valid URL. This limitation was not checked when passing request to it via DevModeHandlerImpl.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just needs running formatter:format
Formatter run and hopefully ccdm tests pass this time too |
SonarQube analysis reported 7 issues
|
Hi @pleku , this commit cannot be picked to 7.0 by this bot, can you take a look and pick it manually? |
Hi @pleku , this commit cannot be picked to 6.0 by this bot, can you take a look and pick it manually? |
Hi @pleku , this commit cannot be picked to 2.7 by this bot, can you take a look and pick it manually? |
Hi @pleku , this commit cannot be picked to 2.6 by this bot, can you take a look and pick it manually? |
The webpack dev-server does not escape " character, as it is not valid URL. This limitation was not checked when passing request to it via DevModeHandlerImpl.
The webpack dev-server does not escape " character, as it is not valid URL. This limitation was not checked when passing request to it via DevModeHandlerImpl.
The webpack dev-server does not escape " character, as it is not valid URL. This limitation was not checked when passing request to it via DevModeHandlerImpl.
The webpack dev-server does not escape " character, as it is not valid URL. This limitation was not checked when passing request to it via DevModeHandlerImpl.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Denylisting is generally a bad approach for dealing with incorrect inputs
@@ -393,6 +398,7 @@ private boolean checkWebpackConnection() { | |||
@Override | |||
public HttpURLConnection prepareConnection(String path, String method) | |||
throws IOException { | |||
// path should have been checked at this point for any outside requests | |||
URL uri = new URL(WEBPACK_HOST + ":" + getPort() + path); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to JavaDoc, the recommended way of dealing with encoding is to use new URI(...).toURL()
:
Note, the
java.net.URI
class does perform escaping of its
component fields in certain circumstances. The recommended way
to manage the encoding and decoding of URLs is to usejava.net.URI
,
and to convert between these two classes usingtoURI()
and
toURL()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would make sense, yes. But the code needs more cleanup to be able to do this properly.
#11117
The webpack dev-server does not escape " character, as it is not valid URL. This limitation was not checked when passing request to it via DevModeHandlerImpl.
The webpack dev-server does not escape " character, as it is not valid URL. This limitation was not checked when passing request to it via DevModeHandlerImpl.
This ticket/PR has been released with platform 21.0.0.alpha3. For prerelease versions, it will be included in its final version. |
The webpack dev-server does not escape " character, as it is not valid
URL. This limitation was not checked when passing request to it via
DevModeHandlerImpl.