Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CXF-8947] - Avoid expensive regex operations in Rfc3986UriValidator #1483

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

WhiteCat22
Copy link
Contributor

…if URI.getHost() returns a host name

Signed-off-by: Adam Anderson <atanderson9383@gmail.com>
if (HttpUtils.isHttpScheme(uri.getScheme())) {
// If URI.getHost() returns a host name, validate it and
// skip the expensive regular expression logic.
final String uriHost = uri.getHost();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@WhiteCat22 the reason for this validator to exists sadly is the fact that Java's URI is not RFC-3986 complaint. The host is not trustful source here hence we validate it against the pattern.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a good point that we had not considered.

private static final Set<String> KNOWN_HTTP_VERBS_WITH_NO_REQUEST_CONTENT =
new HashSet<>(Arrays.asList(new String[]{"GET", "HEAD", "OPTIONS", "TRACE"}));
private static final Set<String> KNOWN_HTTP_VERBS_WITH_NO_RESPONSE_CONTENT =
new HashSet<>(Arrays.asList(new String[]{"HEAD", "OPTIONS"}));

private static final Pattern HTTP_SCHEME_PATTERN = Pattern.compile("^(?i)(http|https)$");
Copy link
Member

@reta reta Oct 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pattern is super straightforward to look up, what are exactly the gains here (vs adding the set + comparator + lowecasing)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @reta , Sorry for the delay. The reason we changed this was because HashSet.contains(String) uses "WAY" less CPU than Pattern.matcher(String).matches()

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough, may be we could just have two constants instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants