Merge "JERSEY-2525 Incoming URL components are parsed for bracket paths"

Author: Marek Potočiar

containers/grizzly2-http/src/main/java/org/glassfish/jersey/grizzly2/httpserver/GrizzlyHttpContainer.java

@@ -71,6 +71,7 @@
 import org.glassfish.jersey.server.ResourceConfig;
 import org.glassfish.jersey.server.ServerProperties;
 import org.glassfish.jersey.server.internal.ConfigHelper;
+import org.glassfish.jersey.server.internal.ContainerUtils;
 import org.glassfish.jersey.server.spi.Container;
 import org.glassfish.jersey.server.spi.ContainerLifecycleListener;
 import org.glassfish.jersey.server.spi.ContainerResponseWriter;
@@ -453,7 +454,7 @@ private URI getRequestUri(URI baseUri, Request grizzlyRequest) {
 
         String queryString = grizzlyRequest.getQueryString();
         if (queryString != null) {
-            originalUri = originalUri + "?" + queryString;
+            originalUri = originalUri + "?" + ContainerUtils.encodeUnsafeCharacters(queryString);
         }
 
         return baseUri.resolve(originalUri);

containers/jersey-servlet-core/src/main/java/org/glassfish/jersey/servlet/ServletContainer.java

@@ -69,6 +69,7 @@
 import org.glassfish.jersey.server.ResourceConfig;
 import org.glassfish.jersey.server.ServerProperties;
 import org.glassfish.jersey.server.internal.ConfigHelper;
+import org.glassfish.jersey.server.internal.ContainerUtils;
 import org.glassfish.jersey.server.spi.Container;
 import org.glassfish.jersey.server.spi.ContainerLifecycleListener;
 import org.glassfish.jersey.servlet.internal.LocalizationMessages;
@@ -320,10 +321,8 @@ protected void service(HttpServletRequest request, HttpServletResponse response)
         final URI baseUri;
         final URI requestUri;
         try {
-            baseUri = absoluteUriBuilder.replacePath(encodedBasePath).
-                    build();
-
-            String queryParameters = request.getQueryString();
+            baseUri = absoluteUriBuilder.replacePath(encodedBasePath).build();
+            String queryParameters = ContainerUtils.encodeUnsafeCharacters(request.getQueryString());
             if (queryParameters == null) {
                 queryParameters = "";
             }

containers/jetty-http/src/main/java/org/glassfish/jersey/jetty/JettyHttpContainer.java

@@ -61,6 +61,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.eclipse.jetty.http.HttpURI;
 import org.glassfish.jersey.internal.MapPropertiesDelegate;
 import org.glassfish.jersey.internal.inject.ReferencingFactory;
 import org.glassfish.jersey.internal.util.ExtendedLogger;
@@ -74,6 +75,7 @@
 import org.glassfish.jersey.server.ResourceConfig;
 import org.glassfish.jersey.server.ServerProperties;
 import org.glassfish.jersey.server.internal.ConfigHelper;
+import org.glassfish.jersey.server.internal.ContainerUtils;
 import org.glassfish.jersey.server.spi.Container;
 import org.glassfish.jersey.server.spi.ContainerLifecycleListener;
 import org.glassfish.jersey.server.spi.ContainerResponseWriter;
@@ -164,8 +166,12 @@ public void handle(String target, final Request request, final HttpServletReques
         final Response response = Response.getResponse(httpServletResponse);
         final ResponseWriter responseWriter = new ResponseWriter(request, response, configSetStatusOverSendError);
         final URI baseUri = getBaseUri(request);
-        final URI requestUri = baseUri.resolve(request.getUri().toString());
 
+        final String originalQuery = request.getUri().getQuery();
+        final String encodedQuery = ContainerUtils.encodeUnsafeCharacters(originalQuery);
+        final String uriString = (originalQuery == null || originalQuery.isEmpty() || originalQuery.equals(encodedQuery)) ?
+                request.getUri().toString() : request.getUri().toString().replace(originalQuery, encodedQuery);
+        final URI requestUri = baseUri.resolve(uriString);
         try {
             final ContainerRequest requestContext = new ContainerRequest(
                     baseUri,

containers/simple-http/src/main/java/org/glassfish/jersey/simple/SimpleContainer.java

@@ -68,6 +68,7 @@
 import org.glassfish.jersey.server.ContainerResponse;
 import org.glassfish.jersey.server.ResourceConfig;
 import org.glassfish.jersey.server.internal.ConfigHelper;
+import org.glassfish.jersey.server.internal.ContainerUtils;
 import org.glassfish.jersey.server.spi.Container;
 import org.glassfish.jersey.server.spi.ContainerLifecycleListener;
 import org.glassfish.jersey.server.spi.ContainerResponseWriter;
@@ -232,7 +233,7 @@ private void rethrow(Throwable error) {
     public void handle(final Request request, final Response response) {
         final Writer responseWriter = new Writer(response);
         final URI baseUri = getBaseUri(request);
-        final URI requestUri = baseUri.resolve(request.getTarget());
+        final URI requestUri = baseUri.resolve(ContainerUtils.encodeUnsafeCharacters(request.getTarget()));
 
         try {
             final ContainerRequest requestContext = new ContainerRequest(

core-server/src/main/java/org/glassfish/jersey/server/internal/ContainerUtils.java

@@ -0,0 +1,74 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2010-2014 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * http://glassfish.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package org.glassfish.jersey.server.internal;
+
+import javax.ws.rs.core.UriBuilder;
+import java.net.URI;
+
+/**
+ * Utility methods used by container implementations.
+ *
+ * @author Adam Lindenthal (adam.lindenthal at oracle.com)
+ */
+public class ContainerUtils {
+
+    /**
+     * Encodes (predefined subset of) unsafe/unwise URI characters with the percent-encoding.
+     * <p/>
+     * <p>Replaces the predefined set of unsafe URI characters in the query string with its percent-encoded counterparts. The
+     * reserved characters (as defined by the RFC) are automatically encoded by browsers, but some characters are in the "gray
+     * zone" - are not explicitly forbidden, but not recommended and known to cause issues.</p>
+     * <p/>
+     * <p>Currently, the method only encodes the curly brackets ({@code \{} and {@code \}}),
+     * if any, to allow URI request parameters to contain JSON.</p>
+     *
+     * @param originalQueryString URI query string (the part behind the question mark character).
+     * @return the same string with unsafe characters (currently only curly brackets) eventually percent encoded.
+     */
+    public static String encodeUnsafeCharacters(String originalQueryString) {
+        if (originalQueryString == null) {
+            return null;
+        }
+        if (originalQueryString.contains("{") || originalQueryString.contains("}")) {
+            return originalQueryString.replace("{", "%7B").replace("}", "%7D");
+        }
+        return originalQueryString;
+    }
+}

tests/e2e/src/test/java/org/glassfish/jersey/tests/api/JsonInUriTest.java

@@ -0,0 +1,129 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2014 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * http://glassfish.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package org.glassfish.jersey.tests.api;
+
+import org.glassfish.jersey.filter.LoggingFilter;
+import org.glassfish.jersey.server.ResourceConfig;
+import org.glassfish.jersey.test.JerseyTest;
+import org.glassfish.jersey.test.TestProperties;
+import org.junit.Test;
+
+import javax.ws.rs.DefaultValue;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Response;
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.io.PrintWriter;
+import java.net.Socket;
+import java.util.logging.Logger;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * Test if URI can contain a JSON in the query parameter.
+ *
+ * @author Adam Lindenthal (adam.lindenthal at oracle.com)
+ */
+public class JsonInUriTest extends JerseyTest {
+    private static final Logger LOGGER = Logger.getLogger(JsonInUriTest.class.getName());
+
+    @Override
+    protected ResourceConfig configure() {
+        ResourceConfig rc = new ResourceConfig(JsonInUriTest.ResponseTest.class);
+        return rc;
+    }
+
+    /**
+     * Test resource
+     */
+    @Path(value = "/app")
+    public static class ResponseTest {
+        /**
+         * Test resource method returning the content of the {@code json} query parameter.
+         *
+         * @return the {@code json} query parameter (as received)
+         */
+        @GET
+        @Path("test")
+        public Response jsonQueryParamTest(@DefaultValue("") @QueryParam("json") String json) {
+            return Response.ok().entity(json).build();
+        }
+
+    }
+
+    /**
+     * Test, that server can consume JSON sent in the query parameter
+     *
+     * @throws IOException
+     */
+    @Test
+    public void testJsonInUriWithSockets() throws IOException {
+        // Low level approach with sockets is used, because common Java HTTP clients are using java.net.URI,
+        // which fails when unencoded curly bracket is part of the URI
+        Socket socket = new Socket(getBaseUri().getHost(), getBaseUri().getPort());
+        PrintWriter pw = new PrintWriter(new BufferedWriter(new OutputStreamWriter(socket.getOutputStream())));
+
+        // quotes are encoded by browsers, curly brackets are not, so the quotes will be sent pre-encoded
+        // HTTP 1.0 is used for simplicity
+        pw.println("GET /app/test?json={%22foo%22:%22bar%22} HTTP/1.0");
+        pw.println();   // http request should end with a blank line
+        pw.flush();
+
+        BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream()));
+
+        String lastLine = null;
+        String line;
+        while ((line = br.readLine()) != null) {
+            // read the response and remember the last line
+            lastLine = line;
+        }
+        assertEquals("{\"foo\":\"bar\"}", lastLine);
+        br.close();
+    }
+}
+
+
+
+