/foo/%2e%2e/bar
+ * Allow ambiguous path segments e.g. /foo/%2e%2e/bar
*/
AMBIGUOUS_PATH_SEGMENT("https://tools.ietf.org/html/rfc3986#section-3.3", "Ambiguous URI path segment"),
/**
- * Ambiguous path separator within a URI segment e.g. /foo/b%2fr
+ * Allow ambiguous path separator within a URI segment e.g. /foo/b%2fr
*/
AMBIGUOUS_PATH_SEPARATOR("https://tools.ietf.org/html/rfc3986#section-3.3", "Ambiguous URI path separator"),
/**
- * Ambiguous path parameters within a URI segment e.g. /foo/..;/bar
+ * Allow ambiguous path parameters within a URI segment e.g. /foo/..;/bar
*/
- AMBIGUOUS_PATH_PARAMETER("https://tools.ietf.org/html/rfc3986#section-3.3", "Ambiguous URI path parameter");
+ AMBIGUOUS_PATH_PARAMETER("https://tools.ietf.org/html/rfc3986#section-3.3", "Ambiguous URI path parameter"),
+ /**
+ * Allow Non canonical ambiguous paths. eg /foo/x%2f%2e%2e%/bar
provided to applications as /foo/x/../bar
+ */
+ NON_CANONICAL_AMBIGUOUS_PATHS("https://tools.ietf.org/html/rfc3986#section-3.3", "Non canonical ambiguous paths");
private final String _url;
private final String _description;
@@ -84,19 +92,28 @@ public final class UriCompliance implements ComplianceViolation.Mode
}
/**
- * The default compliance mode that extends RFC3986 compliance with additional violations to avoid ambiguous URIs
+ * The default compliance mode that extends RFC3986 compliance with additional violations to avoid most ambiguous URIs.
+ * This mode does allow {@link Violation#AMBIGUOUS_PATH_SEPARATOR}, but disallows
+ * {@link Violation#AMBIGUOUS_PATH_PARAMETER} and {@link Violation#AMBIGUOUS_PATH_SEGMENT}.
+ * Ambiguous paths are not allowed by {@link Violation#NON_CANONICAL_AMBIGUOUS_PATHS}.
*/
- public static final UriCompliance DEFAULT = new UriCompliance("DEFAULT", noneOf(Violation.class));
+ public static final UriCompliance DEFAULT = new UriCompliance("DEFAULT", of(Violation.AMBIGUOUS_PATH_SEPARATOR));
/**
- * LEGACY compliance mode that disallows only ambiguous path parameters as per Jetty-9.4
+ * LEGACY compliance mode that models Jetty-9.4 behavior by allowing {@link Violation#AMBIGUOUS_PATH_SEGMENT} and {@link Violation#AMBIGUOUS_PATH_SEPARATOR}
*/
- public static final UriCompliance LEGACY = new UriCompliance("LEGACY", EnumSet.of(Violation.AMBIGUOUS_PATH_SEGMENT, Violation.AMBIGUOUS_PATH_SEPARATOR));
+ public static final UriCompliance LEGACY = new UriCompliance("LEGACY", of(Violation.AMBIGUOUS_PATH_SEGMENT, Violation.AMBIGUOUS_PATH_SEPARATOR));
/**
- * Compliance mode that exactly follows RFC3986, including allowing all additional ambiguous URI Violations
+ * Compliance mode that exactly follows RFC3986, including allowing all additional ambiguous URI Violations,
+ * except {@link Violation#NON_CANONICAL_AMBIGUOUS_PATHS}, thus ambiguous paths are canonicalized for safety.
*/
- public static final UriCompliance RFC3986 = new UriCompliance("RFC3986", allOf(Violation.class));
+ public static final UriCompliance RFC3986 = new UriCompliance("RFC3986", complementOf(of(Violation.NON_CANONICAL_AMBIGUOUS_PATHS)));
+
+ /**
+ * Compliance mode that allows all URI Violations, including allowing ambiguous paths in non canonicalized form.
+ */
+ public static final UriCompliance UNSAFE = new UriCompliance("UNSAFE", allOf(Violation.class));
/**
* @deprecated equivalent to DEFAULT
@@ -125,6 +142,17 @@ public final class UriCompliance implements ComplianceViolation.Mode
return null;
}
+ /**
+ * Create compliance set from a set of allowed Violations.
+ *
+ * @param violations A string of violations to allow:
+ * @return the compliance from the string spec
+ */
+ public static UriCompliance from(Set
@@ -151,22 +179,23 @@ public final class UriCompliance implements ComplianceViolation.Mode
*/
public static UriCompliance from(String spec)
{
- Set