Skip to content

Commit

Permalink
fix(vulnerable-code): Fixup yet another case of wrong URL escaping
Browse files Browse the repository at this point in the history
See [1].

[1]: aboutcode-org/vulnerablecode#1173

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
  • Loading branch information
sschuberth committed Feb 2, 2024
1 parent bae6050 commit da5314b
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ class VulnerableCode(name: String, config: VulnerableCodeConfiguration) : Advice
}
}

private val BACKSLASH_ESCAPE_REGEX = """\\\\(.)""".toRegex()
private val BACKSLASH_ESCAPE_REGEX = """\\\\\\?(.)""".toRegex()

internal fun String.fixupUrlEscaping(): String =
replace("""\/""", "/").replace(BACKSLASH_ESCAPE_REGEX) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,15 @@ class VulnerableCodeTest : WordSpec({
"""https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apple:swiftnio_http/2:*:*:*:*:*:swift:*:*"""
)
}

"fixup a wrongly escaped plus" {
@Suppress("MaxLineLength")
val u = """https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:hyperion_bi\\\+:*:*:*:*:*:*:*:*"""

URI.create(u.fixupUrlEscaping()) shouldBe URI(
"""https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:hyperion_bi%2B:*:*:*:*:*:*:*:*"""
)
}
}
})

Expand Down

0 comments on commit da5314b

Please sign in to comment.