Add minor checks in jetty utils class
diff --git a/server/src/main/java/org/apache/druid/server/JettyUtils.java b/server/src/main/java/org/apache/druid/server/JettyUtils.java
index 717eb13..0f503ef 100644
--- a/server/src/main/java/org/apache/druid/server/JettyUtils.java
+++ b/server/src/main/java/org/apache/druid/server/JettyUtils.java
@@ -33,9 +33,13 @@
* Concatenate URI parts, in a way that is useful for proxy servlets.
*
* @param base base part of the uri, like http://example.com (no trailing slash)
- * @param encodedPath encoded path, like you would get from HttpServletRequest's getRequestURI
+ * @param encodedPath encoded path, like you would get from HttpServletRequest's getRequestURI. Must start with
+ * a slash.
* @param encodedQueryString encoded query string, like you would get from HttpServletRequest's getQueryString
+ *
+ * @return rewritten target URI, or null if the URI cannot be rewritten
*/
+ @Nullable
public static String concatenateForRewrite(
final String base,
final String encodedPath,
@@ -44,6 +48,10 @@
{
// Query string and path are already encoded, no need for anything fancy beyond string concatenation.
+ if (!encodedPath.startsWith("/")) {
+ return null;
+ }
+
final StringBuilder url = new StringBuilder(base).append(encodedPath);
if (encodedQueryString != null) {
diff --git a/server/src/test/java/org/apache/druid/server/AsyncManagementForwardingServletTest.java b/server/src/test/java/org/apache/druid/server/AsyncManagementForwardingServletTest.java
index ba7c78b..b495200 100644
--- a/server/src/test/java/org/apache/druid/server/AsyncManagementForwardingServletTest.java
+++ b/server/src/test/java/org/apache/druid/server/AsyncManagementForwardingServletTest.java
@@ -352,11 +352,35 @@
}
@Test
+ public void testCoordinatorNoPath() throws Exception
+ {
+ HttpURLConnection connection = ((HttpURLConnection)
+ new URL(StringUtils.format("http://localhost:%d/proxy/coordinator", port)).openConnection());
+ connection.setRequestMethod("GET");
+
+ Assert.assertEquals(403, connection.getResponseCode()); // proxy with no path is not allowed
+ Assert.assertFalse("coordinator called", COORDINATOR_EXPECTED_REQUEST.called);
+ Assert.assertFalse("overlord called", OVERLORD_EXPECTED_REQUEST.called);
+ }
+
+ @Test
+ public void testOverlordNoPath() throws Exception
+ {
+ HttpURLConnection connection = ((HttpURLConnection)
+ new URL(StringUtils.format("http://localhost:%d/proxy/overlord", port)).openConnection());
+ connection.setRequestMethod("GET");
+
+ Assert.assertEquals(403, connection.getResponseCode()); // proxy with no path is not allowed
+ Assert.assertFalse("coordinator called", COORDINATOR_EXPECTED_REQUEST.called);
+ Assert.assertFalse("overlord called", OVERLORD_EXPECTED_REQUEST.called);
+ }
+
+ @Test
public void testCoordinatorLeaderUnknown() throws Exception
{
isValidLeader = false;
HttpURLConnection connection = ((HttpURLConnection)
- new URL(StringUtils.format("http://localhost:%d/druid/coordinator", port)).openConnection());
+ new URL(StringUtils.format("http://localhost:%d/druid/coordinator/status", port)).openConnection());
connection.setRequestMethod("GET");
Assert.assertEquals(503, connection.getResponseCode());
@@ -369,7 +393,7 @@
{
isValidLeader = false;
HttpURLConnection connection = ((HttpURLConnection)
- new URL(StringUtils.format("http://localhost:%d/druid/indexer", port)).openConnection());
+ new URL(StringUtils.format("http://localhost:%d/druid/indexer/status", port)).openConnection());
connection.setRequestMethod("GET");
Assert.assertEquals(503, connection.getResponseCode());
diff --git a/server/src/test/java/org/apache/druid/server/JettyUtilsTest.java b/server/src/test/java/org/apache/druid/server/JettyUtilsTest.java
index bd6d86f..de1cb2b 100644
--- a/server/src/test/java/org/apache/druid/server/JettyUtilsTest.java
+++ b/server/src/test/java/org/apache/druid/server/JettyUtilsTest.java
@@ -36,4 +36,28 @@
)
);
}
+
+ @Test
+ public void testConcatenateForRewriteEmptyPath()
+ {
+ Assert.assertNull(
+ JettyUtils.concatenateForRewrite(
+ "http://example.com",
+ "",
+ "q=baz%20qux"
+ )
+ );
+ }
+
+ @Test
+ public void testConcatenateForRewriteInvalidPath()
+ {
+ Assert.assertNull(
+ JettyUtils.concatenateForRewrite(
+ "http://example.com",
+ "foo%20bar", // path must start with '/'
+ "q=baz%20qux"
+ )
+ );
+ }
}
