Handle special characters in TraceableHttpServletRequest

Fixes gh-13273

Author: mbhave

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/web/trace/servlet/TraceableHttpServletRequest.java

@@ -17,6 +17,8 @@
 package org.springframework.boot.actuate.web.trace.servlet;
 
 import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.LinkedHashMap;
@@ -27,6 +29,7 @@
 
 import org.springframework.boot.actuate.trace.http.TraceableRequest;
 import org.springframework.util.StringUtils;
+import org.springframework.web.util.UriUtils;
 
 /**
  * An adapter that exposes an {@link HttpServletRequest} as a {@link TraceableRequest}.
@@ -48,12 +51,26 @@ public String getMethod() {
 
 	@Override
 	public URI getUri() {
-		StringBuffer urlBuffer = this.request.getRequestURL();
-		if (StringUtils.hasText(this.request.getQueryString())) {
-			urlBuffer.append("?");
-			urlBuffer.append(this.request.getQueryString());
+		String queryString = this.request.getQueryString();
+		if (!StringUtils.hasText(queryString)) {
+			return URI.create(this.request.getRequestURL().toString());
+		}
+		try {
+			StringBuffer urlBuffer = appendQueryString(queryString);
+			return new URI(urlBuffer.toString());
+		}
+		catch (URISyntaxException ex) {
+			String encoded = UriUtils.encode(queryString, StandardCharsets.UTF_8);
+			StringBuffer urlBuffer = appendQueryString(encoded);
+			return URI.create(urlBuffer.toString());
 		}
-		return URI.create(urlBuffer.toString());
+	}
+
+	private StringBuffer appendQueryString(String queryString) {
+		StringBuffer urlBuffer = this.request.getRequestURL();
+		urlBuffer.append("?");
+		urlBuffer.append(queryString);
+		return urlBuffer;
 	}
 
 	@Override

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/web/trace/servlet/TraceableHttpServletRequestTests.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.boot.actuate.web.trace.servlet;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import org.springframework.mock.web.MockHttpServletRequest;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link TraceableHttpServletRequest}.
+ *
+ * @author Madhura Bhave
+ */
+public class TraceableHttpServletRequestTests {
+
+	private MockHttpServletRequest request;
+
+	@Before
+	public void setup() {
+		this.request = new MockHttpServletRequest("GET", "/script");
+	}
+
+	@Test
+	public void getUriWithoutQueryStringShouldReturnUri() {
+		validate("http://localhost/script");
+	}
+
+	@Test
+	public void getUriShouldReturnUriWithQueryString() {
+		this.request.setQueryString("a=b");
+		validate("http://localhost/script?a=b");
+	}
+
+	@Test
+	public void getUriWithSpecialCharactersInQueryStringShouldEncode() {
+		this.request.setQueryString("a=${b}");
+		validate("http://localhost/script?a%3D%24%7Bb%7D");
+	}
+
+	@Test
+	public void getUriWithSpecialCharactersEncodedShouldNotDoubleEncode() {
+		this.request.setQueryString("a%3D%24%7Bb%7D");
+		validate("http://localhost/script?a%3D%24%7Bb%7D");
+	}
+
+	private void validate(String expectedUri) {
+		TraceableHttpServletRequest trace = new TraceableHttpServletRequest(this.request);
+		assertThat(trace.getUri().toString()).isEqualTo(expectedUri);
+	}
+
+}