sahvx655-wq opened a new pull request, #383: URL: https://github.com/apache/commons-validator/pull/383
### Summary This PR fixes a path validation bypass in `UrlValidator` where percent-encoded path traversal sequences could evade the existing parent-directory checks performed by `isValidPath(String)`. `UrlValidator` validates paths by normalizing the URL path and rejecting traversal attempts such as `/../`. However, the validation logic operates on the raw path component. Percent-encoded traversal sequences (for example `%2e%2e` and `%2f`) are not interpreted during normalization and therefore are not collapsed into their equivalent `../` path segments. As a result, inputs such as: http://example.com/..%2fetc/passwd http://example.com/%2e%2e/world can bypass the existing traversal checks and be considered valid. Decode traversal-relevant percent-encoded characters before normalization so that encoded traversal sequences are evaluated consistently with their literal equivalents. This ensures that both literal and percent-encoded parent-directory traversal attempts are rejected by the existing validation logic. Added regression tests covering: * `..%2f` * `..%2F` * `%2e%2e/` * `%2e%2e%2f` * mixed-case encoded traversal sequences The new tests fail prior to the fix and pass after the fix. This change closes a validation gap in `UrlValidator` and ensures that directory traversal checks cannot be bypassed using percent-encoded path separators or dot segments. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
