Prevent possibility of template variable injection in SCIM2 SDK POST search

pingidentity / scim2

The UnboundID SCIM 2.0 SDK for Java

176 stars 72 forks source link

Prevent possibility of template variable injection in SCIM2 SDK POST search #137

Closed coulbeck closed 4 years ago

coulbeck commented 4 years ago

Prevent possibility of template variable injection in SCIM2 SDK POST search

JiraIssue: DS-41106 Product: ds Product: proxy Product: broker

What does this implement/fix? Explain your changes.

See DS-41106

Does this close any currently open issues?

DS-41106

coulbeck commented 4 years ago

UriBuilder methods always interpret path template variables and I could not find any good alternative to UriBuilder. So I chose to percent encode left and right brace characters for the string query parameters before passing to UriBuilder.

braveulysses commented 4 years ago

Looks good to me, Andy. If it's not too much, it would be nice to add a simple unit test for the encodeTemplateNames() method to the SDK.