Fixes #21496: Validate for special encoded characters in request path (#21972)

This is a follow up commit after the real issue was addressed in grizzly 2.4.0-beta11 #22042 
* Handling CharConversionException from Grizzly
* Added few test cases for validation

Author: jayasheelankumar

appserver/tests/appserv-tests/devtests/web/requestDispatcherDirectoryTraversal/WebTest.java

@@ -53,17 +53,25 @@ public class WebTest {
 
     private static final String TEST_NAME
         = "request-dispatcher-directory-traversal";
+    private static final String TEST_NAME2
+        = "request-dispatcher-directory-traversal-type2";
+    private static final String TEST_NAME3
+        = "request-dispatcher-directory-traversal-type3";
 
     private static final String EXPECTED = "This is OK.";
 
     private String host;
     private String port;
     private String contextRoot;
+    private String appserverTestPath;
+    private String adminPort;
 
     public WebTest(String[] args) {
         host = args[0];
         port = args[1];
         contextRoot = args[2];
+        appserverTestPath = args[3];
+        adminPort = args[4];
     }
 
     public static void main(String[] args) {
@@ -80,6 +88,18 @@ public void doTest() {
             stat.addStatus(TEST_NAME, stat.FAIL);
             ex.printStackTrace();
         }
+        try {
+            invokeValidationTestForDoubleDot();
+        } catch (Exception ex) {
+            stat.addStatus(TEST_NAME2, stat.FAIL);
+            ex.printStackTrace();
+        }
+        try {
+            invokeValidationTestForColon();
+        } catch (Exception ex) {
+            stat.addStatus(TEST_NAME3, stat.FAIL);
+            ex.printStackTrace();
+        }
     }
 
     private void invoke() throws Exception {
@@ -113,6 +133,7 @@ private void invoke() throws Exception {
             } else {
                 System.err.println("Missing expected response: " + EXPECTED);
             }
+            
         } finally {
             try {
                 if (os != null) os.close();
@@ -128,4 +149,89 @@ private void invoke() throws Exception {
             } catch (IOException ex) {}
         }
     }
+    
+    private void invokeValidationTestForDoubleDot() throws Exception {
+        
+        Socket sock = null;
+        OutputStream os = null;
+        InputStream is = null;
+        BufferedReader bis = null;
+        try {
+            // Validating the ".." file traversal check
+            sock = new Socket(host, Integer.valueOf(adminPort));
+            os = sock.getOutputStream();
+            String get = "GET " + "/theme/META-INF/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af"
+                    + "%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af"
+                    + "%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af"
+                    + "%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af"
+                    + "%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae"
+                    + "%c0" + appserverTestPath + "/domains/domain1/config/local-password HTTP/1.1\n";
+            System.out.println(get);
+            os.write(get.getBytes());
+            os.write("Host: localhost\n".getBytes());
+            os.write("\n".getBytes());
+            is = sock.getInputStream();
+            bis = new BufferedReader(new InputStreamReader(is));
+            String line = bis.readLine();
+            if (line != null && line.contains("200")) {
+                stat.addStatus(TEST_NAME2, stat.FAIL);
+            } else {
+                stat.addStatus(TEST_NAME2, stat.PASS);
+            }
+        }
+        finally {
+            try {
+                if (os != null) os.close();
+            } catch (IOException ex) {}
+            try {
+                if (is != null) is.close();
+            } catch (IOException ex) {}
+            try {
+                if (sock != null) sock.close();
+            } catch (IOException ex) {}
+            try {
+                if (bis != null) bis.close();
+            } catch (IOException ex) {}
+        }
+    }
+    
+    private void invokeValidationTestForColon() throws Exception {
+        
+        Socket sock = null;
+        OutputStream os = null;
+        InputStream is = null;
+        BufferedReader bis = null;
+        try {
+            // Validating the ":" file traversal check
+            sock = new Socket(host, Integer.valueOf(adminPort));
+            os = sock.getOutputStream();
+            String get = "GET " + "/resource/file%3a///etc/passwd/ HTTP/1.1\n";
+            System.out.println(get);
+            os.write(get.getBytes());
+            os.write("Host: localhost\n".getBytes());
+            os.write("\n".getBytes());
+            is = sock.getInputStream();
+            bis = new BufferedReader(new InputStreamReader(is));
+            String line = bis.readLine();
+            if (line != null && line.contains("200")) {
+                stat.addStatus(TEST_NAME3, stat.FAIL);
+            } else {
+                stat.addStatus(TEST_NAME3, stat.PASS);
+            }
+        }
+        finally {
+            try {
+                if (os != null) os.close();
+            } catch (IOException ex) {}
+            try {
+                if (is != null) is.close();
+            } catch (IOException ex) {}
+            try {
+                if (sock != null) sock.close();
+            } catch (IOException ex) {}
+            try {
+                if (bis != null) bis.close();
+            } catch (IOException ex) {}
+        }
+    }
 }

appserver/tests/appserv-tests/devtests/web/requestDispatcherDirectoryTraversal/build.xml

@@ -89,6 +89,8 @@
           <arg value="${http.host}"/>
           <arg value="${http.port}"/>
           <arg value="${contextroot}"/>
+	  <arg value="${env.S1AS_HOME}"/>
+	  <arg value="${admin.port}"/>
           <classpath>
            <pathelement location="${env.APS_HOME}/lib/reportbuilder.jar"/>
            <pathelement location="."/>

nucleus/core/kernel/src/main/java/com/sun/enterprise/v3/services/impl/ContainerMapper.java

@@ -178,6 +178,9 @@ public void service(final Request request, final Response response) throws Excep
                 if (LOGGER.isLoggable(Level.WARNING)) {
                     LOGGER.log(Level.WARNING, KernelLoggerInfo.exceptionMapper2, ex2);
                 }
+                if (ex2 instanceof CharConversionException) {
+                    response.sendError(500);
+                }
             }
         }
     }