refactor: replace URLEncoder with URIEscapers to ensure RFC 3986-compliant path encoding

Praveenkumar76 · Praveenkumar76 · commit e6023bcc8a6b · 2026-04-30T17:27:48.000+05:30
diff --git a/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/common/PackageName.java b/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/common/PackageName.java
@@ -23,8 +23,7 @@
 import com.google.common.cache.CacheBuilder;
 import com.google.common.cache.CacheLoader;
 import com.google.common.cache.LoadingCache;
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
+import com.google.common.net.UrlEscapers;
 import java.util.List;
 import java.util.Objects;
 import java.util.concurrent.ExecutionException;
@@ -138,12 +137,13 @@ public String toString() {
     }
 
     public String toRestPath() {
+        // Use Guava's urlPathSegmentEscaper to safely encode each segment and prevents Path Traversal (CWE-22)
         return String.format("%s/%s/%s/%s/%s",
-                type,
-                URLEncoder.encode(tenant, StandardCharsets.UTF_8),
-                URLEncoder.encode(namespace, StandardCharsets.UTF_8),
-                URLEncoder.encode(name, StandardCharsets.UTF_8),
-                URLEncoder.encode(version, StandardCharsets.UTF_8));
+                type.toString(),
+                UrlEscapers.urlPathSegmentEscaper().escape(tenant),
+                UrlEscapers.urlPathSegmentEscaper().escape(namespace),
+                UrlEscapers.urlPathSegmentEscaper().escape(name),
+                UrlEscapers.urlPathSegmentEscaper().escape(version));
     }
 
     @Override
diff --git a/pulsar-package-management/core/src/test/java/org/apache/pulsar/packages/management/core/common/PackageNameTest.java b/pulsar-package-management/core/src/test/java/org/apache/pulsar/packages/management/core/common/PackageNameTest.java
@@ -125,7 +125,7 @@ public void testPathTraversalBypassConstructor() throws Exception {
         java.lang.reflect.Field tenantField = PackageName.class.getDeclaredField("tenant");
         tenantField.setAccessible(true);
         tenantField.set(packageName, "tenant-a/../../system-tenant");
-        // Define what the SAFE, patched output should look like (URL Encoded)
+        // Define what the SAFE, patched output should look like
         String expectedSafePath = "function/tenant-a%2F..%2F..%2Fsystem-tenant/ns/name/v1";
 
         // Trigger the vulnerable method
