Closed lance-purple-unboundid closed 4 years ago
This looks good. I did a search for all usages of UriBuilder (I should have done that when I fixed DS-41106), and found one more possible trouble spot.
It's in AuthenticatedSubjectAliasFilter, lines 68-80. This is where we handle a request to /Me.
Could you also add a call to encodeTemplateNames on line 77 where we call UriBuilder#queryParam.
UriBuilder newRequestUri =
requestContext.getUriInfo().getBaseUriBuilder();
newRequestUri.path(authSubjectPath +
requestPath.substring(alias.length()));
MultivaluedMap<String, String> queryParams =
requestContext.getUriInfo().getQueryParameters();
for (String key : queryParams.keySet())
{
List<String> values = queryParams.get(key);
newRequestUri.queryParam(key, values.toArray()); <<<< Template Injection Problem??
}
requestContext.setRequestUri(newRequestUri.build());
Updated AuthenticatedSubjectAliasFilter to encode the queryParams, and also the authSubjectPath (which can produce the IllegalArgumentException if /Me resolves to a resource containing curly braces)
JiraIssue: DS-40219