launder server name

vladak · vladak · commit 27968d66f196 · 2025-08-29T12:15:48.000+02:00
diff --git a/opengrok-indexer/src/main/java/org/opengrok/indexer/web/Laundromat.java b/opengrok-indexer/src/main/java/org/opengrok/indexer/web/Laundromat.java
@@ -51,6 +51,15 @@ public static String launderInput(String value) {
         return replaceAll(value, ESC_N_R_T_F, "_");
     }
 
+    /**
+     * Sanitize {@code value} where it will be used in subsequent OpenGrok
+     * (non-logging) processing. Also allows for IPv6 address URIs with port number.
+     * @return {@code null} if null or else {@code value} with invalid characters removed and leading dashes stripped
+     */
+    public static String launderServerName(String value) {
+        return replaceAll(value, "(^\\-*)|[^A-Za-z0-9\\-\\.: \\[\\]]", "");
+    }
+
     /**
      * Sanitize {@code value} where it will be used in subsequent OpenGrok
      * (non-logging) processing.
diff --git a/opengrok-indexer/src/test/java/org/opengrok/indexer/web/LaundromatTest.java b/opengrok-indexer/src/test/java/org/opengrok/indexer/web/LaundromatTest.java
@@ -19,14 +19,19 @@
 
 /*
  * Copyright (c) 2020, Chris Fraire <cfraire@me.com>.
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
  */
 package org.opengrok.indexer.web;
 
+import org.apache.commons.lang3.tuple.Pair;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
 
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.stream.Stream;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
@@ -54,6 +59,17 @@ void launderLog() {
         assertEquals(TEST_CONTENT_LOG_LAUNDRY, laundry);
     }
 
+    private static Stream<Pair<String, String>> getParamsForTestLaunderServerName() {
+        return Stream.of(Pair.of("foo.example.com", Laundromat.launderServerName("--foo.example\n.com?=")),
+                Pair.of("[2001:db8::1]:8080", Laundromat.launderServerName("[2001:db8::1]:8080")));
+    }
+
+    @ParameterizedTest
+    @MethodSource("getParamsForTestLaunderServerName")
+    void testLaunderServerName(Pair<String, String> param) {
+        assertEquals(param.getLeft(), param.getRight());
+    }
+
     @Test
     void launderLogMap() {
         HashMap<String, String[]> testMap = new HashMap<>();
diff --git a/opengrok-web/src/main/java/org/opengrok/web/PageConfig.java b/opengrok-web/src/main/java/org/opengrok/web/PageConfig.java
@@ -1483,7 +1483,7 @@ public String getServerName() {
         if (env.getServerName() != null) {
             return env.getServerName();
         } else {
-            return req.getServerName();
+            return Laundromat.launderServerName(req.getServerName());
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1483,7 +1483,7 @@ public String getServerName() {`
`1483`	`1483`	`if (env.getServerName() != null) {`
`1484`	`1484`	`return env.getServerName();`
`1485`	`1485`	`} else {`
`1486`		`- return req.getServerName();`
	`1486`	`+ return Laundromat.launderServerName(req.getServerName());`
`1487`	`1487`	`}`
`1488`	`1488`	`}`
`1489`	`1489`