Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
Describe the issue:
The IllegalArgumentException: Illegal group reference error occurs when using String::replaceAll because it treats the replacement string as a regular expression replacement pattern. In regular expressions, certain characters such as $, \, and others have special meanings. If these characters are present in the replacement string, they are interpreted as regex references unless properly escaped.
In our code, we are replacing environment variable placeholders with their corresponding values from the system environment. If any of these values contain special characters, they need to be properly escaped to avoid misinterpretation by the regex engine.
Some common special regex characters that need to be escaped in replacement strings:
$: Indicates the end of a line or a backreference to a capturing group.
\: Escape character.
., *, +, ?, [, ], (, ), {, }, |, ^: Characters used in regex patterns.
To fix this, we need to escape the replacement string using Matcher.quoteReplacement, which ensures that all special characters are treated as literals.
private static String resolveStringWithEnvVarPlaceholders(String value, Map<String, String> resolvedEnvironmentVariables)
throws ConfigParserException {
String[] envRefs = StringUtils.substringsBetween(value, ENV_VAR_PLACEHOLDER_PREFIX, PLACEHOLDER_SUFFIX);
if (envRefs != null) {
for (String ref : envRefs) {
String resolvedValue = System.getenv(ref);
if (resolvedValue != null) {
resolvedEnvironmentVariables.put(ref, resolvedValue);
value = value.replaceAll(Pattern.quote(ENV_VAR_PLACEHOLDER_PREFIX + ref + PLACEHOLDER_SUFFIX),
Matcher.quoteReplacement(resolvedValue));
} else {
throw new ConfigParserException("Environment variable " + ref + " not defined in system");
}
}
}
return value;
}
Source [1]
How to reproduce:
Setup an Identity Server instance and add the configuration below to the deployment.toml file:
Start the server and observe the stack trace below:
. . . [omitted for brevity] . . .
Caused by: java.lang.IllegalArgumentException: Illegal group reference
at java.base/java.util.regex.Matcher.appendExpandedReplacement(Matcher.java:1068)
at java.base/java.util.regex.Matcher.appendReplacement(Matcher.java:998)
at java.base/java.util.regex.Matcher.replaceAll(Matcher.java:1182)
at java.base/java.lang.String.replaceAll(String.java:2126)
at org.wso2.config.mapper.ReferenceResolver.resolveStringWithEnvVarPlaceholders(ReferenceResolver.java:362)
at org.wso2.config.mapper.ReferenceResolver.resolveEnvVariables(ReferenceResolver.java:263)
at org.wso2.config.mapper.ReferenceResolver.resolve(ReferenceResolver.java:90)
at org.wso2.config.mapper.ReferenceResolver.resolve(ReferenceResolver.java:71)
at org.wso2.config.mapper.ConfigParser.parse(ConfigParser.java:253)
at org.wso2.config.mapper.ConfigParser.deploy(ConfigParser.java:217)
at org.wso2.config.mapper.ConfigParser.deployAndStoreMetadata(ConfigParser.java:180)
at org.wso2.config.mapper.ConfigParser.parse(ConfigParser.java:127)
at org.wso2.carbon.server.Main.handleConfiguration(Main.java:236)
at org.wso2.carbon.server.Main.main(Main.java:107)
... 6 more
Expected behavior:
The Identity Server should be able to use any environment variable value.
Environment information:
Product Version: All versions affected, but tested on 5.11.0, 6.0.0, 6.1.0, 7.0.0
Describe the issue: The
IllegalArgumentException: Illegal group reference
error occurs when usingString::replaceAll
because it treats the replacement string as a regular expression replacement pattern. In regular expressions, certain characters such as$
,\
, and others have special meanings. If these characters are present in the replacement string, they are interpreted as regex references unless properly escaped.In our code, we are replacing environment variable placeholders with their corresponding values from the system environment. If any of these values contain special characters, they need to be properly escaped to avoid misinterpretation by the regex engine.
Some common special regex characters that need to be escaped in replacement strings:
$
: Indicates the end of a line or a backreference to a capturing group.\
: Escape character..
,*
,+
,?
,[
,]
,(
,)
,{
,}
,|
,^
: Characters used in regex patterns.To fix this, we need to escape the replacement string using
Matcher.quoteReplacement
, which ensures that all special characters are treated as literals.Source [1]
How to reproduce:
deployment.toml
file:DUMMY_ENV_VAL
environment variable:Expected behavior: The Identity Server should be able to use any environment variable value.
Environment information:
Product Version: All versions affected, but tested on 5.11.0, 6.0.0, 6.1.0, 7.0.0
[1] https://github.com/wso2/config-mapper/blob/master/src/main/java/org/wso2/config/mapper/ReferenceResolver.java#L384-L401