From 79ecdf7bef85c00ae5b9271ef8d7338306d72881 Mon Sep 17 00:00:00 2001
From: Zipeng WU <zipeng.wu@sonarsource.com>
Date: Thu, 1 Jul 2021 15:24:24 +0200
Subject: SONAR-13513 Request parameter should not allow NUL character

---
 .../src/main/java/org/sonar/api/impl/ws/ValidatingRequest.java      | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'sonar-plugin-api-impl')

diff --git a/sonar-plugin-api-impl/src/main/java/org/sonar/api/impl/ws/ValidatingRequest.java b/sonar-plugin-api-impl/src/main/java/org/sonar/api/impl/ws/ValidatingRequest.java
index 033b95f8fb7..cc83b0cf58b 100644
--- a/sonar-plugin-api-impl/src/main/java/org/sonar/api/impl/ws/ValidatingRequest.java
+++ b/sonar-plugin-api-impl/src/main/java/org/sonar/api/impl/ws/ValidatingRequest.java
@@ -153,7 +153,11 @@ public abstract class ValidatingRequest extends Request {
   private String readParam(String key, @Nullable WebService.Param definition) {
     checkArgument(definition != null, "BUG - parameter '%s' is undefined for action '%s'", key, action.key());
     String deprecatedKey = definition.deprecatedKey();
-    return deprecatedKey != null ? defaultString(readParam(deprecatedKey), readParam(key)) : readParam(key);
+    String param = deprecatedKey != null ? defaultString(readParam(deprecatedKey), readParam(key)) : readParam(key);
+    if (param != null && param.contains("\0")) {
+      throw new IllegalArgumentException("Request parameters are not allowed to contain NUL character");
+    }
+    return param;
   }
 
   private List<String> readMultiParamOrDefaultValue(String key, @Nullable WebService.Param definition) {
-- 
cgit v1.2.3