fix(ws-next): validate base URI scheme

michalvavrik · michalvavrik · commit c99b54c84efa · 2025-10-23T13:38:28.000+02:00
diff --git a/extensions/websockets-next/deployment/src/test/java/io/quarkus/websockets/next/test/client/BasicConnectorTest.java b/extensions/websockets-next/deployment/src/test/java/io/quarkus/websockets/next/test/client/BasicConnectorTest.java
@@ -2,6 +2,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
@@ -144,6 +145,27 @@ void testClientOptionsCustomization() {
         })).rootCause().isInstanceOf(UnknownHostException.class).hasMessageContaining("robert");
     }
 
+    @Test
+    void testBaseUriValidationFailure() {
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("localhost:8080"));
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("127.0.0.1:8080/"));
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("localhost:8080/hello"));
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("jdbc:localhost:8080/hello"));
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("jdbc://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("http://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("http://localhost:8080/"));
+        assertDoesNotThrow(() -> connector.baseUri("http://localhost:8080"));
+        assertDoesNotThrow(() -> connector.baseUri("ws://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("ws://localhost:8080/"));
+        assertDoesNotThrow(() -> connector.baseUri("ws://localhost:8080"));
+        assertDoesNotThrow(() -> connector.baseUri("https://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("https://localhost:8080/"));
+        assertDoesNotThrow(() -> connector.baseUri("https://localhost:8080"));
+        assertDoesNotThrow(() -> connector.baseUri("wss://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("wss://localhost:8080/"));
+        assertDoesNotThrow(() -> connector.baseUri("wss://localhost:8080"));
+    }
+
     private WebSocketClientConnection createConnection2(CountDownLatch conn2Latch,
             BiConsumer<WebSocketConnectOptions, WebSocketClientOptions> customizer) {
         return BasicWebSocketConnector
diff --git a/extensions/websockets-next/deployment/src/test/java/io/quarkus/websockets/next/test/client/ClientEndpointTest.java b/extensions/websockets-next/deployment/src/test/java/io/quarkus/websockets/next/test/client/ClientEndpointTest.java
@@ -1,8 +1,10 @@
 package io.quarkus.websockets.next.test.client;
 
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertInstanceOf;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.net.URI;
@@ -87,6 +89,27 @@ void testClient() throws InterruptedException {
                 .rootCause().isInstanceOf(UnknownHostException.class).hasMessageContaining("robert");
     }
 
+    @Test
+    void testBaseUriValidationFailure() {
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("localhost:8080"));
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("127.0.0.1:8080/"));
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("localhost:8080/hello"));
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("jdbc:localhost:8080/hello"));
+        assertThrows(IllegalArgumentException.class, () -> connector.baseUri("jdbc://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("http://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("http://localhost:8080/"));
+        assertDoesNotThrow(() -> connector.baseUri("http://localhost:8080"));
+        assertDoesNotThrow(() -> connector.baseUri("ws://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("ws://localhost:8080/"));
+        assertDoesNotThrow(() -> connector.baseUri("ws://localhost:8080"));
+        assertDoesNotThrow(() -> connector.baseUri("https://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("https://localhost:8080/"));
+        assertDoesNotThrow(() -> connector.baseUri("https://localhost:8080"));
+        assertDoesNotThrow(() -> connector.baseUri("wss://localhost:8080/hello"));
+        assertDoesNotThrow(() -> connector.baseUri("wss://localhost:8080/"));
+        assertDoesNotThrow(() -> connector.baseUri("wss://localhost:8080"));
+    }
+
     @WebSocket(path = "/endpoint/{name}")
     public static class ServerEndpoint {
 
diff --git a/extensions/websockets-next/runtime/src/main/java/io/quarkus/websockets/next/runtime/WebSocketConnectorBase.java b/extensions/websockets-next/runtime/src/main/java/io/quarkus/websockets/next/runtime/WebSocketConnectorBase.java
@@ -93,6 +93,10 @@ abstract class WebSocketConnectorBase<THIS extends WebSocketConnectorBase<THIS>>
     }
 
     public THIS baseUri(URI baseUri) {
+        if (!isSecure(baseUri) && !isNotSecure(baseUri)) {
+            throw new IllegalArgumentException(
+                    String.format("[%s] is not a valid scheme in the base URI %s", baseUri.getScheme(), baseUri));
+        }
         this.baseUri = Objects.requireNonNull(baseUri);
         return self();
     }
@@ -240,6 +244,10 @@ protected WebSocketConnectOptions newConnectOptions(URI serverEndpointUri) {
         return connectOptions;
     }
 
+    protected boolean isNotSecure(URI uri) {
+        return "http".equals(uri.getScheme()) || "ws".equals(uri.getScheme());
+    }
+
     protected boolean isSecure(URI uri) {
         return "https".equals(uri.getScheme()) || "wss".equals(uri.getScheme());
     }

Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,10 @@ abstract class WebSocketConnectorBase<THIS extends WebSocketConnectorBase<THIS>>`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`public THIS baseUri(URI baseUri) {`
	`96`	`+ if (!isSecure(baseUri) && !isNotSecure(baseUri)) {`
	`97`	`+ throw new IllegalArgumentException(`
	`98`	`+ String.format("[%s] is not a valid scheme in the base URI %s", baseUri.getScheme(), baseUri));`
	`99`	`+ }`
`96`	`100`	`this.baseUri = Objects.requireNonNull(baseUri);`
`97`	`101`	`return self();`
`98`	`102`	`}`
`@@ -240,6 +244,10 @@ protected WebSocketConnectOptions newConnectOptions(URI serverEndpointUri) {`
`240`	`244`	`return connectOptions;`
`241`	`245`	`}`
`242`	`246`
	`247`	`+ protected boolean isNotSecure(URI uri) {`
	`248`	`+ return "http".equals(uri.getScheme()) \|\| "ws".equals(uri.getScheme());`
	`249`	`+ }`
	`250`	`+`
`243`	`251`	`protected boolean isSecure(URI uri) {`
`244`	`252`	`return "https".equals(uri.getScheme()) \|\| "wss".equals(uri.getScheme());`
`245`	`253`	`}`