From 5c3499a00885700d0fd45acaafce67a472417a0f Mon Sep 17 00:00:00 2001
From: David Handermann <exceptionfactory@apache.org>
Date: Fri, 20 Dec 2024 12:32:17 -0600
Subject: [PATCH] NIFI-14103 Corrected thread safety for Proxied Entity Encoder
 (#9591)

- Created new CharsetEncoder for each method invocation
---
 .../proxied/entity/StandardProxiedEntityEncoder.java       | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/nifi-commons/nifi-security-proxied-entity/src/main/java/org/apache/nifi/security/proxied/entity/StandardProxiedEntityEncoder.java b/nifi-commons/nifi-security-proxied-entity/src/main/java/org/apache/nifi/security/proxied/entity/StandardProxiedEntityEncoder.java
index 4132537474..edfbb7cdf6 100644
--- a/nifi-commons/nifi-security-proxied-entity/src/main/java/org/apache/nifi/security/proxied/entity/StandardProxiedEntityEncoder.java
+++ b/nifi-commons/nifi-security-proxied-entity/src/main/java/org/apache/nifi/security/proxied/entity/StandardProxiedEntityEncoder.java
@@ -16,6 +16,7 @@
  */
 package org.apache.nifi.security.proxied.entity;
 
+import java.nio.charset.Charset;
 import java.nio.charset.CharsetEncoder;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
@@ -34,7 +35,7 @@ public class StandardProxiedEntityEncoder implements ProxiedEntityEncoder {
 
     private static final String ESCAPED_LT = "\\\\<";
 
-    private static final CharsetEncoder headerValueCharsetEncoder = StandardCharsets.US_ASCII.newEncoder();
+    private static final Charset headerValueCharset = StandardCharsets.US_ASCII;
 
     private static final Base64.Encoder headerValueEncoder = Base64.getEncoder();
 
@@ -73,7 +74,9 @@ public class StandardProxiedEntityEncoder implements ProxiedEntityEncoder {
         } else {
             final String escaped = identity.replaceAll(LT, ESCAPED_LT).replaceAll(GT, ESCAPED_GT);
 
-            if (headerValueCharsetEncoder.canEncode(escaped)) {
+            // Create method-local CharsetEncoder for thread-safe state handling
+            final CharsetEncoder charsetEncoder = headerValueCharset.newEncoder();
+            if (charsetEncoder.canEncode(escaped)) {
                 // Strings limited to US-ASCII characters can be transmitted as HTTP header values without encoding
                 sanitized = escaped;
             } else {