LDEV-6354 don't abort S3 bundle listing on a malformed version or key#2792
Open
bpamiri wants to merge 1 commit into
Open
LDEV-6354 don't abort S3 bundle listing on a malformed version or key#2792bpamiri wants to merge 1 commit into
bpamiri wants to merge 1 commit into
Conversation
OSGiUtil.toVersion(String, Version) threw IllegalArgumentException for a malformed qualifier (e.g. "3.9.0.GA copy" from bucket entry "javassist-3.9.0.GA copy.jar") instead of honoring its default-return contract, aborting the entire BundleProvider listing walk. Guard the restrictive-path Version construction, matching the non-restrictive branch. Also URL-encode the S3 ?marker= pagination parameter in BundleProvider.read() so keys with spaces/illegal URI characters don't break paginated listing. Adds test/tickets/LDEV6354.cfc. Signed-off-by: Peter Amiri <peter@alurium.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
LDEV-6354
https://luceeserver.atlassian.net/browse/LDEV-6354
Problem
Lucee's S3
BundleProvider(the fallback resolver that listsbundle-download.s3.amazonaws.comwhen a bundle isn't found locally or on update.lucee.org) aborts the entire listing walk when the bucket contains a single entry whose name yields a malformed OSGi version. Resolution of every S3-hosted bundle then fails — a request for e.g.org.xerial.sqlite-jdbcsurfaces a parse error aboutjavassist:The bucket currently contains
javassist-3.9.0.GA copy.jar(a Finder-style "copy" duplicate) plus several space-containing.meta-cache/*.jsonkeys.Root cause & fix
1.
OSGiUtil.toVersion(String, boolean, Version)violated its default-return contract. For3.9.0.GA copyit parses major/minor/micro, then callsnew Version(3, 9, 0, "GA copy"), whose constructorvalidate()rejects the space and throwsIllegalArgumentException. That construction (the restrictive path) wasn't guarded — unlike the non-restrictive branch immediately above it. Because this overload takes adefaultValue, callers expect it never to throw; instead the exception escaped the SAX parse inBundleProvider.read(). Fixed by wrapping the construction intry/catch (IllegalArgumentException)returningdefaultValue.2.
BundleProvider.read()built the pagination URL by naive concatenation ("?marker=" + lastKey), throwingIllegal character in querywhen a key contains a space. The listing is truncated (>1000 keys) so?marker=pagination runs in normal operation. Fixed by URL-encoding the marker.Either fix alone resolves the reported crash; together they make S3 bundle resolution resilient to any single malformed listing entry.
Test
test/tickets/LDEV6354.cfcassertsOSGiUtil.toVersion("3.9.0.GA copy", default)returns the default instead of throwing, and that a well-formed qualifier still parses.Note
The malformed bucket entries should also be cleaned up server-side (tracked in LDEV-6354) — that fixes already-released versions immediately; this PR prevents recurrence from any future malformed entry.
Downstream report: wheels-dev/wheels#2312