Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CXF-8947] - Avoid expensive regex operations in Rfc3986UriValidator #1483

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[CXF-8947] - Avoid expensive regex operations in Rfc3986UriValidator #1483

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/Rfc3986UriValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,21 +39,28 @@ final class Rfc3986UriValidator {

private static final String LAST = "#(.*)";

private static final Pattern HTTP_URL = Pattern.compile("^" + SCHEME
private static final Pattern HTTP_URL = Pattern.compile("^" + SCHEME
+ "(//(" + USERINFO + "@)?" + HOST + ")?" + PATH
+ "(\\?" + QUERY + ")?" + "(" + LAST + ")?");

private Rfc3986UriValidator() {
}

/**
* Validate the HTTP URL according to https://datatracker.ietf.org/doc/html/rfc3986#appendix-B
* Validate the HTTP URL according to https://datatracker.ietf.org/doc/html/rfc3986#appendix-B
* @param uri HTTP schemed URI to validate
* @return "true" if URI matches RFC-3986 validation rules, "false" otherwise
*/
public static boolean validate(final URI uri) {
// Only validate the HTTP(s) URIs
if (HttpUtils.isHttpScheme(uri.getScheme())) {
if (HttpUtils.isHttpScheme(uri.getScheme())) {
// If URI.getHost() returns a host name, validate it and
// skip the expensive regular expression logic.
final String uriHost = uri.getHost();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@WhiteCat22 the reason for this validator to exists sadly is the fact that Java's URI is not RFC-3986 complaint. The host is not trustful source here hence we validate it against the pattern.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a good point that we had not considered.

if (uriHost != null) {
return !StringUtils.isEmpty(uriHost);
}

final Matcher matcher = HTTP_URL.matcher(uri.toString());
if (matcher.matches()) {
final String host = matcher.group(5);
Expand Down
31 changes: 18 additions & 13 deletions rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,13 +93,18 @@ public final class HttpUtils {
// there are more of such characters, ex, '*' but '*' is not affected by UrlEncode
private static final String PATH_RESERVED_CHARACTERS = "=@/:!$&\'(),;~";
private static final String QUERY_RESERVED_CHARACTERS = "?/,";

private static final Set<String> KNOWN_HTTP_VERBS_WITH_NO_REQUEST_CONTENT =
new HashSet<>(Arrays.asList(new String[]{"GET", "HEAD", "OPTIONS", "TRACE"}));
private static final Set<String> KNOWN_HTTP_VERBS_WITH_NO_RESPONSE_CONTENT =
new HashSet<>(Arrays.asList(new String[]{"HEAD", "OPTIONS"}));

private static final Pattern HTTP_SCHEME_PATTERN = Pattern.compile("^(?i)(http|https)$");
Copy link
Member

@reta reta Oct 24, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pattern is super straightforward to look up, what are exactly the gains here (vs adding the set + comparator + lowecasing)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @reta , Sorry for the delay. The reason we changed this was because HashSet.contains(String) uses "WAY" less CPU than Pattern.matcher(String).matches()

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough, may be we could just have two constants instead?


private static final Set<String> HTTP_SCHEMES = new HashSet<>();

static {
HTTP_SCHEMES.add("http");
HTTP_SCHEMES.add("https");
}

private HttpUtils() {
}
Expand Down Expand Up @@ -372,7 +377,7 @@ public static URI toAbsoluteUri(String relativePath, Message message) {
(HttpServletRequest)message.get(AbstractHTTPDestination.HTTP_REQUEST));
return URI.create(base + relativePath);
}

public static void setHttpRequestURI(Message message, String uriTemplate) {
HttpServletRequest request =
(HttpServletRequest)message.get(AbstractHTTPDestination.HTTP_REQUEST);
Expand Down Expand Up @@ -479,8 +484,8 @@ public static String getBaseAddress(Message m) {
URI uri = new URI(endpointAddress);
String path = uri.getRawPath();
String scheme = uri.getScheme();
// RFC-3986: the scheme and host are case-insensitive and therefore should
// be normalized to lowercase.
// RFC-3986: the scheme and host are case-insensitive and therefore should
// be normalized to lowercase.
if (scheme != null && !scheme.toLowerCase().startsWith(HttpUtils.HTTP_SCHEME)
&& HttpUtils.isHttpRequest(m)) {
path = HttpUtils.toAbsoluteUri(path, m).getRawPath();
Expand All @@ -493,15 +498,15 @@ public static String getBaseAddress(Message m) {

public static String getEndpointUri(Message m) {
final Object servletRequest = m.get(AbstractHTTPDestination.HTTP_REQUEST);

if (servletRequest != null) {
final Object property = ((jakarta.servlet.http.HttpServletRequest)servletRequest)
.getAttribute("org.apache.cxf.transport.endpoint.uri");
if (property != null) {
return property.toString();
}
}

return getEndpointAddress(m);
}

Expand Down Expand Up @@ -618,7 +623,7 @@ public static String getEncoding(MediaType mt, String defaultEncoding) {

public static String getMediaTypeCharsetParameter(MediaType mt) {
String charset = mt.getParameters().get(CHARSET_PARAMETER);
if (charset != null && charset.startsWith(DOUBLE_QUOTE)
if (charset != null && charset.startsWith(DOUBLE_QUOTE)
&& charset.endsWith(DOUBLE_QUOTE) && charset.length() > 1) {
charset = charset.substring(1, charset.length() - 1);
}
Expand Down Expand Up @@ -699,7 +704,7 @@ public static boolean isPayloadEmpty(MultivaluedMap<String, String> headers) {

return false;
}

public static <T> T createServletResourceValue(Message m, Class<T> clazz) {

Object value = null;
Expand All @@ -721,12 +726,12 @@ public static <T> T createServletResourceValue(Message m, Class<T> clazz) {
public static boolean isMethodWithNoRequestContent(String method) {
return KNOWN_HTTP_VERBS_WITH_NO_REQUEST_CONTENT.contains(method);
}

public static boolean isMethodWithNoResponseContent(String method) {
return KNOWN_HTTP_VERBS_WITH_NO_RESPONSE_CONTENT.contains(method);
}

public static boolean isHttpScheme(final String scheme) {
return scheme != null && HTTP_SCHEME_PATTERN.matcher(scheme).matches();
return scheme != null && HTTP_SCHEMES.contains(scheme.toLowerCase());
}
}