Merge pull request #227 from AikidoSec/add-route-detection-for-array

bitterpanda63 · web-flow · commit 0f196073b799 · 2025-09-16T11:58:16.000Z
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/helpers/url/BuildRouteFromUrl.java b/agent_api/src/main/java/dev/aikido/agent_api/helpers/url/BuildRouteFromUrl.java
@@ -20,6 +20,8 @@ private BuildRouteFromUrl() {}
             "^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$");
     private static final Pattern HASH_REGEX = Pattern.compile("^(?:[a-f0-9]{32}|[a-f0-9]{40}|[a-f0-9]{64}|[a-f0-9]{128})$", Pattern.CASE_INSENSITIVE);
     private static final int[] HASH_LENGTHS = {32, 40, 64, 128};
+    private static final Pattern NUMBER_ARRAY_REGEX = Pattern.compile("^\\d+(?:,\\d+)*$");
+
 
     public static String buildRouteFromUrl(String url) {
         String path = tryParseUrlPath(url);
@@ -57,6 +59,8 @@ private static String replaceUrlSegmentWithParam(String segment) {
 
         if (startsWithNumber && NUMBER_REGEX.matcher(segment).matches()) {
             return ":number";
+        } else if (segment.contains(",") && NUMBER_ARRAY_REGEX.matcher(segment).matches()) {
+            return ":array(number)";
         } else if (segment.length() == 36 && UUID_REGEX.matcher(segment).matches()) {
             return ":uuid";
         } else if (segment.length() == 26 && ULID_REGEX.matcher(segment).matches()) {
diff --git a/agent_api/src/test/java/helpers/BuildRouteFromUrlTest.java b/agent_api/src/test/java/helpers/BuildRouteFromUrlTest.java
@@ -43,8 +43,15 @@ void testReplaceDates() {
     }
 
     @Test
-    void testIgnoreCommaNumbers() {
-        assertEquals("/posts/3,000", buildRouteFromUrl("/posts/3,000"));
+    void testMatchesArrays() {
+        assertEquals("/posts/:array(number)", buildRouteFromUrl("/posts/3,000"));
+        assertEquals("/posts/:array(number)", buildRouteFromUrl("/posts/0,1,2,3,4"));
+        assertEquals("/posts/,1,2,3,4", buildRouteFromUrl("/posts/,1,2,3,4"));
+        assertEquals("/posts/0,1,2,3,4,", buildRouteFromUrl("/posts/0,1,2,3,4,"));
+        assertEquals("/posts/,1,2,3,4,", buildRouteFromUrl("/posts/,1,2,3,4,"));
+        assertEquals("/posts/,", buildRouteFromUrl("/posts/,"));
+        assertEquals("/posts/:array(number)", buildRouteFromUrl("/posts/1,2"));
+        assertEquals("/posts/:array(number)", buildRouteFromUrl("/posts/200000,2,20000"));
     }
 
     @Test
