fix: fix regex vulnerability

radrt · radrt · commit 2bede2b37a87 · 2026-02-27T15:32:40.000+02:00
diff --git a/src/main/java/io/neonbee/entity/AbstractEntityVerticle.java b/src/main/java/io/neonbee/entity/AbstractEntityVerticle.java
@@ -96,7 +96,7 @@ public abstract class AbstractEntityVerticle<T> extends DataVerticle<T> {
      */
     @VisibleForTesting
     static final Pattern URI_PATH_PATTERN =
-            Pattern.compile("^/*((?:(.*)\\.)?(.*?))/(([A-Za-z_]\\w+).*?)(?:(?<=\\))/(.*))?$");
+            Pattern.compile("^/*((?:(.+/?)\\.)?([^/]+))/(([A-Za-z_]\\w+)[^/]*)(?:/(.*))?$");
 
     private static final LoggingFacade LOGGER = LoggingFacade.create();
 
@@ -224,13 +224,13 @@ public static String getName(Class<? extends AbstractEntityVerticle> clazz) {
      */
     @Override
     public void start(Promise<Void> promise) {
-        vertx.eventBus().consumer(EVENT_BUS_MODELS_LOADED_ADDRESS, message -> {
-            announceEntityVerticle(vertx).onFailure(throwable -> {
-                if (LOGGER.isErrorEnabled()) {
-                    LOGGER.error("Updating announcements of entity verticle {} failed", getQualifiedName(), throwable);
-                }
-            });
-        });
+        vertx.eventBus().consumer(EVENT_BUS_MODELS_LOADED_ADDRESS,
+                message -> announceEntityVerticle(vertx).onFailure(throwable -> {
+                    if (LOGGER.isErrorEnabled()) {
+                        LOGGER.error("Updating announcements of entity verticle {} failed", getQualifiedName(),
+                                throwable);
+                    }
+                }));
         announceEntityVerticle(vertx).compose(nothing -> Future.<Void>future(super::start))
                 .onSuccess(nothing -> {
                     if (LOGGER.isInfoEnabled()) {
diff --git a/src/test/java/io/neonbee/entity/EntityVerticleTest.java b/src/test/java/io/neonbee/entity/EntityVerticleTest.java
@@ -79,17 +79,14 @@ void registerEntityTypes(VertxTestContext testContext) {
         Checkpoint checkpoint = testContext.checkpoint(2);
         registry.get(sharedEntityMapName(new FullQualifiedName("ERP.Customers")))
                 .onComplete(testContext.succeeding(result -> {
-                    testContext.verify(() -> {
-                        assertThat((JsonArray) result).containsExactly(entityVerticleImpl1.getQualifiedName(),
-                                entityVerticleImpl2.getQualifiedName());
-                    });
+                    testContext.verify(() -> assertThat(result).containsExactly(entityVerticleImpl1.getQualifiedName(),
+                            entityVerticleImpl2.getQualifiedName()));
                     checkpoint.flag();
                 }));
         registry.get(sharedEntityMapName(new FullQualifiedName("Sales.Orders")))
                 .onComplete(testContext.succeeding(result -> {
-                    testContext.verify(() -> {
-                        assertThat((JsonArray) result).containsExactly(entityVerticleImpl1.getQualifiedName());
-                    });
+                    testContext
+                            .verify(() -> assertThat(result).containsExactly(entityVerticleImpl1.getQualifiedName()));
                     checkpoint.flag();
                 }));
     }
@@ -116,13 +113,6 @@ void queryVerticlesForEntityType(Vertx vertx, VertxTestContext testContext) {
     void testEntityURIPathRegex() {
         Matcher matcher;
 
-        assertThat((matcher = URI_PATH_PATTERN.matcher("my.very/own.Service/Entity")).find()).isTrue();
-        assertThat(matcher.group()).isEqualTo("my.very/own.Service/Entity");
-        assertThat(matcher.group(SERVICE_NAMESPACE_GROUP)).isEqualTo("my.very/own.Service");
-        assertThat(matcher.group(CDS_NAMESPACE_GROUP)).isEqualTo("my.very/own");
-        assertThat(matcher.group(CDS_SERVICE_NAME_GROUP)).isEqualTo("Service");
-        assertThat(matcher.group(ENTITY_SET_NAME_GROUP)).isEqualTo("Entity");
-
         assertThat((matcher = URI_PATH_PATTERN.matcher("my.Service/Entity")).find()).isTrue();
         assertThat(matcher.group()).isEqualTo("my.Service/Entity");
         assertThat(matcher.group(SERVICE_NAMESPACE_GROUP)).isEqualTo("my.Service");
@@ -148,6 +138,13 @@ void testEntityURIPathRegex() {
 
         assertThat((matcher = URI_PATH_PATTERN.matcher("Service/Entity/$count")).find()).isTrue();
         assertThat(matcher.group(ENTITY_SET_NAME_GROUP)).isEqualTo("Entity");
+
+        assertThat((matcher = URI_PATH_PATTERN.matcher("my.very/own.Service/Entity")).find()).isTrue();
+        assertThat(matcher.group()).isEqualTo("my.very/own.Service/Entity");
+        assertThat(matcher.group(SERVICE_NAMESPACE_GROUP)).isEqualTo("my.very/own.Service");
+        assertThat(matcher.group(CDS_NAMESPACE_GROUP)).isEqualTo("my.very/own");
+        assertThat(matcher.group(CDS_SERVICE_NAME_GROUP)).isEqualTo("Service");
+        assertThat(matcher.group(ENTITY_SET_NAME_GROUP)).isEqualTo("Entity");
     }
 
     @Test
@@ -229,9 +226,8 @@ public Future<Set<FullQualifiedName>> entityTypeNames() {
             }
         };
 
-        deployVerticle(dummyEntityVerticle).onComplete(testContext.succeeding(nextHandler -> {
-            testVertx.eventBus().publish(EntityModelManager.EVENT_BUS_MODELS_LOADED_ADDRESS, null);
-        }));
+        deployVerticle(dummyEntityVerticle).onComplete(testContext.succeeding(
+                nextHandler -> testVertx.eventBus().publish(EntityModelManager.EVENT_BUS_MODELS_LOADED_ADDRESS, null)));
     }
 
     @Test
@@ -245,7 +241,7 @@ void testqueryWithSpecialCharacters(Vertx vertx, VertxTestContext testContext) {
         entityVerticleImpl1.parseUriInfo(vertx, dataQuery).onSuccess(uriInfo -> {
             assertThat(uriInfo).isNotNull();
             testContext.completeNow();
-        }).onFailure(t -> testContext.failNow(t));
+        }).onFailure(testContext::failNow);
     }
 }
 
