From ce897731b2f25ff37b5b40d5c7c95abb7fdf8dba Mon Sep 17 00:00:00 2001
From: Dimitris Kavvathas <dimitris.kavvathas@sonarsource.com>
Date: Thu, 13 Jun 2024 15:07:04 +0200
Subject: [PATCH] SONAR-22329 Fix URL sanitization logic for OAuth2
 authentication params.

---
 .../OAuth2AuthenticationParametersImpl.java      | 16 ++++++++++++----
 .../OAuth2AuthenticationParametersImplTest.java  |  2 ++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/OAuth2AuthenticationParametersImpl.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/OAuth2AuthenticationParametersImpl.java
index 7be6aed2680..fb890b21283 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/OAuth2AuthenticationParametersImpl.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/OAuth2AuthenticationParametersImpl.java
@@ -24,6 +24,8 @@ import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import com.google.gson.reflect.TypeToken;
 import java.io.UnsupportedEncodingException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.nio.file.Path;
 import java.util.HashMap;
 import java.util.Map;
@@ -131,11 +133,17 @@ public class OAuth2AuthenticationParametersImpl implements OAuth2AuthenticationP
       return empty();
     }
 
-    Path sanitizedPath = escapePathTraversalChars(trimmedUrl);
-    return Optional.of(sanitizedPath.toString());
+    try {
+      URI uri = new URI(trimmedUrl);
+      String sanitizedPath = escapePathTraversalChars(uri.getPath());
+      URI sanitizedUri = new URI(uri.getScheme(), uri.getUserInfo(), uri.getHost(), uri.getPort(), sanitizedPath, uri.getQuery(), uri.getFragment());
+      return Optional.of(sanitizedUri.toString());
+    } catch (URISyntaxException e) {
+      throw new IllegalStateException(e);
+    }
   }
 
-  private static Path escapePathTraversalChars(String sanitizedUrl) {
-    return Path.of(sanitizedUrl).normalize();
+  private static String escapePathTraversalChars(String path) {
+    return Path.of(path).normalize().toString();
   }
 }
diff --git a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/OAuth2AuthenticationParametersImplTest.java b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/OAuth2AuthenticationParametersImplTest.java
index 4c9b4d4b2fb..c3d2ddc05b8 100644
--- a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/OAuth2AuthenticationParametersImplTest.java
+++ b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/OAuth2AuthenticationParametersImplTest.java
@@ -157,6 +157,8 @@ public class OAuth2AuthenticationParametersImplTest {
       {generatePath("/admin/..%2fsettings/"), "/settings"},
       {generatePath("/admin/%2e%2e%2fsettings/"), "/settings"},
       {generatePath("../admin/settings"), null},
+      {generatePath("/dashboard?id=project&pullRequest=PRID"), "/dashboard?id=project&pullRequest=PRID"},
+      {generatePath("%2Fdashboard%3Fid%3Dproject%26pullRequest%3DPRID&authorizationError=true"), "/dashboard?id=project&pullRequest=PRID&authorizationError=true"},
     };
   }
 
-- 
2.39.5