Use StringUtils.uriDecode where feasible

nosan · nosan · commit 6cfe880c8b0a · 2025-08-09T14:29:48.000+03:00
Signed-off-by: Dmytro Nosan &lt;dimanosan@gmail.com&gt;
diff --git a/loader/spring-boot-loader-classic/src/main/java/org/springframework/boot/loader/jar/AsciiBytes.java b/loader/spring-boot-loader-classic/src/main/java/org/springframework/boot/loader/jar/AsciiBytes.java
@@ -235,6 +235,10 @@ public String toString() {
 		return this.string;
 	}
 
+	static String toString(byte[] bytes) {
+		return new String(bytes, StandardCharsets.UTF_8);
+	}
+
 	static int hashCode(CharSequence charSequence) {
 		// We're compatible with String's hashCode()
 		if (charSequence instanceof StringSequence) {
diff --git a/loader/spring-boot-loader-classic/src/main/java/org/springframework/boot/loader/jar/JarURLConnection.java b/loader/spring-boot-loader-classic/src/main/java/org/springframework/boot/loader/jar/JarURLConnection.java
@@ -16,18 +16,18 @@
 
 package org.springframework.boot.loader.jar;
 
+import java.io.ByteArrayOutputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
+import java.net.URLEncoder;
 import java.net.URLStreamHandler;
 import java.nio.charset.StandardCharsets;
 import java.security.Permission;
 
-import org.springframework.util.StringUtils;
-
 /**
  * {@link java.net.JarURLConnection} used to support {@link JarFile#getUrl()}.
  *
@@ -307,7 +307,41 @@ private StringSequence decode(StringSequence source) {
 			if (source.isEmpty() || (source.indexOf('%') < 0)) {
 				return source;
 			}
-			return new StringSequence(StringUtils.uriDecode(source.toString(), StandardCharsets.UTF_8));
+			ByteArrayOutputStream bos = new ByteArrayOutputStream(source.length());
+			write(source.toString(), bos);
+			// AsciiBytes is what is used to store the JarEntries so make it symmetric
+			return new StringSequence(AsciiBytes.toString(bos.toByteArray()));
+		}
+
+		private void write(String source, ByteArrayOutputStream outputStream) {
+			int length = source.length();
+			for (int i = 0; i < length; i++) {
+				int c = source.charAt(i);
+				if (c > 127) {
+					String encoded = URLEncoder.encode(String.valueOf((char) c), StandardCharsets.UTF_8);
+					write(encoded, outputStream);
+				}
+				else {
+					if (c == '%') {
+						if ((i + 2) >= length) {
+							throw new IllegalArgumentException(
+									"Invalid encoded sequence \"" + source.substring(i) + "\"");
+						}
+						c = decodeEscapeSequence(source, i);
+						i += 2;
+					}
+					outputStream.write(c);
+				}
+			}
+		}
+
+		private char decodeEscapeSequence(String source, int i) {
+			int hi = Character.digit(source.charAt(i + 1), 16);
+			int lo = Character.digit(source.charAt(i + 2), 16);
+			if (hi == -1 || lo == -1) {
+				throw new IllegalArgumentException("Invalid encoded sequence \"" + source.substring(i) + "\"");
+			}
+			return ((char) ((hi << 4) + lo));
 		}
 
 		CharSequence toCharSequence() {
diff --git a/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/protocol/jar/JarUrlConnection.java b/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/protocol/jar/JarUrlConnection.java
@@ -26,7 +26,6 @@
 import java.net.URLClassLoader;
 import java.net.URLConnection;
 import java.net.URLStreamHandler;
-import java.nio.charset.StandardCharsets;
 import java.security.Permission;
 import java.util.Collections;
 import java.util.List;
@@ -36,7 +35,7 @@
 import java.util.jar.JarFile;
 
 import org.springframework.boot.loader.jar.NestedJarFile;
-import org.springframework.util.StringUtils;
+import org.springframework.boot.loader.net.util.UrlDecoder;
 
 /**
  * {@link java.net.JarURLConnection} alternative to
@@ -342,7 +341,7 @@ static JarUrlConnection open(URL url) throws IOException {
 				if ("runtime".equals(url.getRef())) {
 					jarFileUrl = new URL(jarFileUrl, "#runtime");
 				}
-				String entryName = StringUtils.uriDecode(spec.substring(separator + 2), StandardCharsets.UTF_8);
+				String entryName = UrlDecoder.decode(spec.substring(separator + 2));
 				JarFile jarFile = jarFiles.getOrCreate(true, jarFileUrl);
 				jarFiles.cacheIfAbsent(true, jarFileUrl, jarFile);
 				if (!hasEntry(jarFile, entryName)) {
diff --git a/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/protocol/jar/UrlJarFileFactory.java b/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/protocol/jar/UrlJarFileFactory.java
@@ -21,15 +21,14 @@
 import java.io.InputStream;
 import java.lang.Runtime.Version;
 import java.net.URL;
-import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
 import java.util.function.Consumer;
 import java.util.jar.JarFile;
 
 import org.springframework.boot.loader.net.protocol.nested.NestedLocation;
-import org.springframework.util.StringUtils;
+import org.springframework.boot.loader.net.util.UrlDecoder;
 
 /**
  * Factory used by {@link UrlJarFiles} to create {@link JarFile} instances.
@@ -77,7 +76,7 @@ private boolean isLocal(String host) {
 
 	private JarFile createJarFileForLocalFile(URL url, Runtime.Version version, Consumer<JarFile> closeAction)
 			throws IOException {
-		String path = StringUtils.uriDecode(url.getPath(), StandardCharsets.UTF_8);
+		String path = UrlDecoder.decode(url.getPath());
 		return new UrlJarFile(new File(path), version, closeAction);
 	}
 
diff --git a/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/protocol/nested/NestedLocation.java b/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/protocol/nested/NestedLocation.java
@@ -19,12 +19,11 @@
 import java.io.File;
 import java.net.URI;
 import java.net.URL;
-import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
-import org.springframework.util.StringUtils;
+import org.springframework.boot.loader.net.util.UrlDecoder;
 
 /**
  * A location obtained from a {@code nested:} {@link URL} consisting of a jar file and an
@@ -76,7 +75,7 @@ public static NestedLocation fromUrl(URL url) {
 		if (url == null || !"nested".equalsIgnoreCase(url.getProtocol())) {
 			throw new IllegalArgumentException("'url' must not be null and must use 'nested' protocol");
 		}
-		return parse(StringUtils.uriDecode(url.toString().substring(7), StandardCharsets.UTF_8));
+		return parse(UrlDecoder.decode(url.toString().substring(7)));
 	}
 
 	/**
diff --git a/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/util/UrlDecoder.java b/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/util/UrlDecoder.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.loader.net.util;
+
+import java.nio.ByteBuffer;
+import java.nio.CharBuffer;
+import java.nio.charset.CharsetDecoder;
+import java.nio.charset.CoderResult;
+import java.nio.charset.CodingErrorAction;
+import java.nio.charset.StandardCharsets;
+
+/**
+ * Utility to decode URL strings.
+ *
+ * @author Phillip Webb
+ * @since 3.2.0
+ */
+public final class UrlDecoder {
+
+	private UrlDecoder() {
+	}
+
+	/**
+	 * Decode the given string by decoding URL {@code '%'} escapes. This method should be
+	 * identical in behavior to the {@code decode} method in the internal
+	 * {@code sun.net.www.ParseUtil} JDK class.
+	 * @param string the string to decode
+	 * @return the decoded string
+	 */
+	public static String decode(String string) {
+		int length = string.length();
+		if ((length == 0) || (string.indexOf('%') < 0)) {
+			return string;
+		}
+		StringBuilder result = new StringBuilder(length);
+		ByteBuffer byteBuffer = ByteBuffer.allocate(length);
+		CharBuffer charBuffer = CharBuffer.allocate(length);
+		CharsetDecoder decoder = StandardCharsets.UTF_8.newDecoder()
+			.onMalformedInput(CodingErrorAction.REPORT)
+			.onUnmappableCharacter(CodingErrorAction.REPORT);
+		int index = 0;
+		while (index < length) {
+			char ch = string.charAt(index);
+			if (ch != '%') {
+				result.append(ch);
+				if (index + 1 >= length) {
+					return result.toString();
+				}
+				index++;
+				continue;
+			}
+			index = fillByteBuffer(byteBuffer, string, index, length);
+			decodeToCharBuffer(byteBuffer, charBuffer, decoder);
+			result.append(charBuffer.flip());
+
+		}
+		return result.toString();
+	}
+
+	private static int fillByteBuffer(ByteBuffer byteBuffer, String string, int index, int length) {
+		byteBuffer.clear();
+		do {
+			byteBuffer.put(unescape(string, index));
+			index += 3;
+		}
+		while (index < length && string.charAt(index) == '%');
+		byteBuffer.flip();
+		return index;
+	}
+
+	private static byte unescape(String string, int index) {
+		try {
+			return (byte) Integer.parseInt(string, index + 1, index + 3, 16);
+		}
+		catch (NumberFormatException ex) {
+			throw new IllegalArgumentException();
+		}
+	}
+
+	private static void decodeToCharBuffer(ByteBuffer byteBuffer, CharBuffer charBuffer, CharsetDecoder decoder) {
+		decoder.reset();
+		charBuffer.clear();
+		assertNoError(decoder.decode(byteBuffer, charBuffer, true));
+		assertNoError(decoder.flush(charBuffer));
+	}
+
+	private static void assertNoError(CoderResult result) {
+		if (result.isError()) {
+			throw new IllegalArgumentException("Error decoding percent encoded characters");
+		}
+	}
+
+}
diff --git a/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/util/package-info.java b/loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/net/util/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Net utilities.
+ */
+package org.springframework.boot.loader.net.util;
diff --git a/loader/spring-boot-loader/src/test/java/org/springframework/boot/loader/net/protocol/jar/JarUrlTests.java b/loader/spring-boot-loader/src/test/java/org/springframework/boot/loader/net/protocol/jar/JarUrlTests.java
@@ -19,14 +19,13 @@
 import java.io.File;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.nio.charset.StandardCharsets;
 import java.util.jar.JarEntry;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 
-import org.springframework.util.StringUtils;
+import org.springframework.boot.loader.net.util.UrlDecoder;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -94,7 +93,7 @@ void createWithReservedCharsInName() throws Exception {
 		setup();
 		URL url = JarUrl.create(this.jarFile, "lib.jar", "com/example/My.class");
 		assertThat(url).hasToString("jar:nested:%s/!lib.jar!/com/example/My.class".formatted(this.jarFileUrlPath));
-		assertThat(StringUtils.uriDecode(url.toString(), StandardCharsets.UTF_8)).contains(badFolderName);
+		assertThat(UrlDecoder.decode(url.toString())).contains(badFolderName);
 	}
 
 }
diff --git a/loader/spring-boot-loader/src/test/java/org/springframework/boot/loader/net/util/UrlDecoderTests.java b/loader/spring-boot-loader/src/test/java/org/springframework/boot/loader/net/util/UrlDecoderTests.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.loader.net.util;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link UrlDecoder}.
+ *
+ * @author Phillip Webb
+ */
+class UrlDecoderTests {
+
+	@Test
+	void decodeWhenBasicString() {
+		assertThat(UrlDecoder.decode("a/b/C.class")).isEqualTo("a/b/C.class");
+	}
+
+	@Test
+	void decodeWhenHasSingleByteEncodedCharacters() {
+		assertThat(UrlDecoder.decode("%61/%62/%43.class")).isEqualTo("a/b/C.class");
+	}
+
+	@Test
+	void decodeWhenHasDoubleByteEncodedCharacters() {
+		assertThat(UrlDecoder.decode("%c3%a1/b/C.class")).isEqualTo("\u00e1/b/C.class");
+	}
+
+	@Test
+	void decodeWhenHasMixtureOfEncodedAndUnencodedDoubleByteCharacters() {
+		assertThat(UrlDecoder.decode("%c3%a1/b/\u00c7.class")).isEqualTo("\u00e1/b/\u00c7.class");
+	}
+
+}
