Validate url domain and path (#4522)

Lightwood13 · web-flow · commit d0c723ce36aa · 2026-05-29T14:37:29.000-04:00
diff --git a/src/main/java/org/prebid/server/bidder/acuityads/AcuityadsBidder.java b/src/main/java/org/prebid/server/bidder/acuityads/AcuityadsBidder.java
@@ -95,7 +95,7 @@ private ExtImpAcuityads parseImpExt(Imp imp) {
 
     private String resolveEndpoint(String host, String accountId) {
         return endpointUrl
-                .replace(URL_HOST_MACRO, StringUtils.stripToEmpty(host))
+                .replace(URL_HOST_MACRO, HttpUtil.validateDomainName(StringUtils.stripToEmpty(host)))
                 .replace(URL_ACCOUNT_ID_MACRO, StringUtils.stripToEmpty(accountId));
     }
 
diff --git a/src/main/java/org/prebid/server/bidder/adhese/AdheseBidder.java b/src/main/java/org/prebid/server/bidder/adhese/AdheseBidder.java
@@ -78,7 +78,7 @@ private ExtImpAdhese parseImpExt(Imp imp) {
     }
 
     private String getUrl(ExtImpAdhese extImpAdhese) {
-        return endpointUrl.replace("{{AccountId}}", extImpAdhese.getAccount());
+        return endpointUrl.replace("{{AccountId}}", HttpUtil.validateDomainName(extImpAdhese.getAccount()));
     }
 
     private BidRequest modifyBidRequest(BidRequest bidRequest, ExtImpAdhese extImpAdhese) {
diff --git a/src/main/java/org/prebid/server/bidder/adtonos/AdtonosBidder.java b/src/main/java/org/prebid/server/bidder/adtonos/AdtonosBidder.java
@@ -63,7 +63,7 @@ private ExtImpAdtonos parseImpExt(Imp imp) {
     }
 
     private String makeUrl(ExtImpAdtonos extImp) {
-        return endpointUrl.replace(PUBLISHER_ID_MACRO, extImp.getSupplierId());
+        return endpointUrl.replace(PUBLISHER_ID_MACRO, HttpUtil.validatePathSegment(extImp.getSupplierId()));
     }
 
     @Override
diff --git a/src/main/java/org/prebid/server/bidder/adview/AdviewBidder.java b/src/main/java/org/prebid/server/bidder/adview/AdviewBidder.java
@@ -131,7 +131,7 @@ private static Banner resolveBanner(Banner banner) {
     }
 
     private String resolveEndpoint(String accountId) {
-        return endpointUrl.replace(ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(accountId));
+        return endpointUrl.replace(ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(accountId)));
     }
 
     @Override
diff --git a/src/main/java/org/prebid/server/bidder/axonix/AxonixBidder.java b/src/main/java/org/prebid/server/bidder/axonix/AxonixBidder.java
@@ -67,7 +67,7 @@ private ExtImpAxonix parseImpExt(Imp imp) {
     }
 
     private String resolveEndpoint(String supplyId) {
-        return endpointUrl.replace(URL_SUPPLY_ID_MACRO, HttpUtil.encodeUrl(supplyId));
+        return endpointUrl.replace(URL_SUPPLY_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(supplyId)));
     }
 
     @Override
diff --git a/src/main/java/org/prebid/server/bidder/bidmachine/BidmachineBidder.java b/src/main/java/org/prebid/server/bidder/bidmachine/BidmachineBidder.java
@@ -142,9 +142,9 @@ private static boolean isMissedRewardedBattr(List<Integer> battr) {
     }
 
     private String buildEndpointUrl(ExtImpBidmachine extImpBidmachine) {
-        return endpointUrl.replace("{{HOST}}", extImpBidmachine.getHost())
-                .replace("{{PATH}}", extImpBidmachine.getPath())
-                .replace("{{SELLER_ID}}", extImpBidmachine.getSellerId());
+        return endpointUrl.replace("{{HOST}}", HttpUtil.validateDomainName(extImpBidmachine.getHost()))
+                .replace("{{PATH}}", HttpUtil.validatePathSegment(extImpBidmachine.getPath()))
+                .replace("{{SELLER_ID}}", HttpUtil.validatePathSegment(extImpBidmachine.getSellerId()));
     }
 
     private ExtPrebid<ExtImpPrebid, ExtImpBidmachine> parseImpExt(Imp imp) {
diff --git a/src/main/java/org/prebid/server/bidder/blis/BlisBidder.java b/src/main/java/org/prebid/server/bidder/blis/BlisBidder.java
@@ -72,7 +72,7 @@ private static MultiMap makeHeaders(String supplyId) {
     }
 
     private String makeUrl(String supplyId) {
-        return endpointUrl.replace(SUPPLY_ID_MACRO, HttpUtil.encodeUrl(supplyId));
+        return endpointUrl.replace(SUPPLY_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(supplyId)));
     }
 
     @Override
diff --git a/src/main/java/org/prebid/server/bidder/clydo/ClydoBidder.java b/src/main/java/org/prebid/server/bidder/clydo/ClydoBidder.java
@@ -111,7 +111,7 @@ private static MultiMap constructHeaders(BidRequest bidRequest) {
     private static String resolveUrl(String endpoint, ExtImpClydo extImp) {
         return endpoint
                 .replace(REGION_MACRO, getRegionInfo(extImp))
-                .replace(PARTNER_ID_MACRO, HttpUtil.encodeUrl(extImp.getPartnerId()));
+                .replace(PARTNER_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(extImp.getPartnerId())));
     }
 
     private static String getRegionInfo(ExtImpClydo extImp) {
diff --git a/src/main/java/org/prebid/server/bidder/contxtful/ContxtfulBidder.java b/src/main/java/org/prebid/server/bidder/contxtful/ContxtfulBidder.java
@@ -129,7 +129,7 @@ private static User modifyUser(User user) {
     }
 
     private String makeUrl(String customerId) {
-        return endpointUrl.replace(ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(customerId));
+        return endpointUrl.replace(ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(customerId)));
     }
 
     @Override
diff --git a/src/main/java/org/prebid/server/bidder/elementaltv/ElementalTVBidder.java b/src/main/java/org/prebid/server/bidder/elementaltv/ElementalTVBidder.java
@@ -86,7 +86,7 @@ private ExtImpElementalTV parseAndValidateImpExt(Imp imp) {
     private String resolveUrl(ExtImpElementalTV extImp) {
         try {
             return endpointTemplate
-                    .replace("{{AdUnit}}", HttpUtil.encodeUrl(extImp.getAdunit()));
+                    .replace("{{AdUnit}}", HttpUtil.encodeUrl(HttpUtil.validatePathSegment(extImp.getAdunit())));
         } catch (Exception e) {
             throw new PreBidException(e.getMessage());
         }
diff --git a/src/main/java/org/prebid/server/bidder/eplanning/EplanningBidder.java b/src/main/java/org/prebid/server/bidder/eplanning/EplanningBidder.java
@@ -232,7 +232,12 @@ private String resolveRequestUri(BidRequest request, List<String> requestsString
                 ? app.getBundle()
                 : pageDomain;
 
-        final String uri = "%s/%s/%s/%s/%s".formatted(endpointUrl, clientId, DFP_CLIENT_ID, requestTarget, SEC);
+        final String uri = "%s/%s/%s/%s/%s".formatted(
+                endpointUrl,
+                HttpUtil.validatePathSegment(clientId),
+                DFP_CLIENT_ID,
+                HttpUtil.validatePathSegment(requestTarget),
+                SEC);
 
         final URIBuilder uriBuilder;
         try {
diff --git a/src/main/java/org/prebid/server/bidder/gamoshi/GamoshiBidder.java b/src/main/java/org/prebid/server/bidder/gamoshi/GamoshiBidder.java
@@ -57,7 +57,7 @@ public Result<List<HttpRequest<BidRequest>>> makeHttpRequests(BidRequest request
 
         if (validImps.isEmpty()) {
             errors.add(BidderError.badInput("No valid impressions in the bid request"));
-            return Result.of(Collections.emptyList(), errors);
+            return Result.of(Collections.<HttpRequest<BidRequest>>emptyList(), errors);
         }
 
         final ExtImpGamoshi firstImpExt;
@@ -69,7 +69,9 @@ public Result<List<HttpRequest<BidRequest>>> makeHttpRequests(BidRequest request
 
         final BidRequest outgoingRequest = request.toBuilder().imp(validImps).build();
 
-        final String requestUrl = endpointUrl + "/r/" + firstImpExt.getSupplyPartnerId() + "/bidr?bidder=prebid-server";
+        final String requestUrl = endpointUrl + "/r/"
+                + HttpUtil.validatePathSegment(firstImpExt.getSupplyPartnerId())
+                + "/bidr?bidder=prebid-server";
         final MultiMap headers = resolveHeaders(request.getDevice());
 
         return Result.of(Collections.singletonList(
diff --git a/src/main/java/org/prebid/server/bidder/imds/ImdsBidder.java b/src/main/java/org/prebid/server/bidder/imds/ImdsBidder.java
@@ -95,7 +95,8 @@ public Result<List<HttpRequest<BidRequest>>> makeHttpRequests(BidRequest bidRequ
     }
 
     private String generateEndpointUrl(ExtImpImds firstExtImp) {
-        final String accountId = URLEncoder.encode(firstExtImp.getSeatId(), StandardCharsets.UTF_8);
+        final String accountId = URLEncoder.encode(
+                HttpUtil.validatePathSegment(firstExtImp.getSeatId()), StandardCharsets.UTF_8);
         final String sourceId = URLEncoder.encode(prebidVersion, StandardCharsets.UTF_8);
         return endpointUrl
                 .replaceAll("\\{\\{AccountID}}", accountId)
diff --git a/src/main/java/org/prebid/server/bidder/kayzen/KayzenBidder.java b/src/main/java/org/prebid/server/bidder/kayzen/KayzenBidder.java
@@ -71,7 +71,8 @@ private ExtImpKayzen parseImpExt(Imp imp) {
     }
 
     private HttpRequest<BidRequest> createRequest(ExtImpKayzen extImpKayzen, BidRequest request, List<Imp> imps) {
-        final String url = endpointUrl.replace(URL_ZONE_ID_MACRO, extImpKayzen.getZone())
+        final String url = endpointUrl
+                .replace(URL_ZONE_ID_MACRO, HttpUtil.validateDomainName(extImpKayzen.getZone()))
                 .replace(URL_ACCOUNT_ID_MACRO, extImpKayzen.getExchange());
         final BidRequest outgoingRequest = request.toBuilder().imp(imps).build();
 
diff --git a/src/main/java/org/prebid/server/bidder/kueezrtb/KueezRtbBidder.java b/src/main/java/org/prebid/server/bidder/kueezrtb/KueezRtbBidder.java
@@ -67,7 +67,8 @@ private KueezRtbImpExt parseImpExt(Imp imp) throws PreBidException {
 
     private HttpRequest<BidRequest> makeHttpRequest(BidRequest bidRequest, Imp imp, KueezRtbImpExt impExt) {
         final BidRequest modifiedBidRequest = bidRequest.toBuilder().imp(Collections.singletonList(imp)).build();
-        final String uri = endpointUrl + HttpUtil.encodeUrl(StringUtils.defaultString(impExt.getConnectionId()).trim());
+        final String uri = endpointUrl + HttpUtil.encodeUrl(
+                HttpUtil.validatePathSegment(StringUtils.defaultString(impExt.getConnectionId()).trim()));
 
         return BidderUtil.defaultRequest(modifiedBidRequest, uri, mapper);
     }
diff --git a/src/main/java/org/prebid/server/bidder/madvertise/MadvertiseBidder.java b/src/main/java/org/prebid/server/bidder/madvertise/MadvertiseBidder.java
@@ -89,7 +89,7 @@ private ExtImpMadvertise parseImpExt(Imp imp) {
     }
 
     private HttpRequest<BidRequest> createRequest(BidRequest request, String zoneID) {
-        final String url = endpointUrl.replace(ZONE_ID_MACRO, HttpUtil.encodeUrl(zoneID));
+        final String url = endpointUrl.replace(ZONE_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(zoneID)));
 
         return HttpRequest.<BidRequest>builder()
                 .method(HttpMethod.POST)
diff --git a/src/main/java/org/prebid/server/bidder/mgid/MgidBidder.java b/src/main/java/org/prebid/server/bidder/mgid/MgidBidder.java
@@ -69,7 +69,10 @@ public final Result<List<HttpRequest<BidRequest>>> makeHttpRequests(BidRequest b
                 .imp(imps)
                 .build();
 
-        return Result.withValue(BidderUtil.defaultRequest(outgoingRequest, endpointUrl + accountId, mapper));
+        return Result.withValue(BidderUtil.defaultRequest(
+                outgoingRequest,
+                endpointUrl + HttpUtil.validatePathSegment(accountId),
+                mapper));
     }
 
     private ExtImpMgid parseImpExt(Imp imp) {
diff --git a/src/main/java/org/prebid/server/bidder/onetag/OnetagBidder.java b/src/main/java/org/prebid/server/bidder/onetag/OnetagBidder.java
@@ -54,7 +54,8 @@ public Result<List<HttpRequest<BidRequest>>> makeHttpRequests(BidRequest request
             }
         }
 
-        final String url = endpointUrl.replace(URL_PUBLISHER_ID_MACRO, StringUtils.defaultString(requestPubId));
+        final String url = endpointUrl.replace(
+                URL_PUBLISHER_ID_MACRO, HttpUtil.validatePathSegment(StringUtils.defaultString(requestPubId)));
         return Result.withValue(BidderUtil.defaultRequest(request, url, mapper));
     }
 
diff --git a/src/main/java/org/prebid/server/bidder/operaads/OperaadsBidder.java b/src/main/java/org/prebid/server/bidder/operaads/OperaadsBidder.java
@@ -179,7 +179,8 @@ private HttpRequest<BidRequest> createRequest(BidRequest bidRequest, Imp imp, Ex
 
     private String resolveUrl(ExtImpOperaads extImpOperaads) {
         return endpointUrl
-                .replace(PUBLISHER_ID_MACRO, HttpUtil.encodeUrl(extImpOperaads.getPublisherId()))
+                .replace(PUBLISHER_ID_MACRO,
+                        HttpUtil.encodeUrl(HttpUtil.validatePathSegment(extImpOperaads.getPublisherId())))
                 .replace(ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(extImpOperaads.getEndpointId()));
     }
 
diff --git a/src/main/java/org/prebid/server/bidder/ownadx/OwnAdxBidder.java b/src/main/java/org/prebid/server/bidder/ownadx/OwnAdxBidder.java
@@ -88,8 +88,10 @@ private HttpRequest<BidRequest> createHttpRequest(BidRequest bidRequest, ExtImpO
     private String makeUrl(ExtImpOwnAdx extImpOwnAdx) {
         final Optional<ExtImpOwnAdx> ownAdx = Optional.ofNullable(extImpOwnAdx);
         return endpointUrl
-                .replace(SEAT_ID_MACROS_ENDPOINT, ownAdx.map(ExtImpOwnAdx::getSeatId).orElse(StringUtils.EMPTY))
-                .replace(SSP_ID_MACROS_ENDPOINT, ownAdx.map(ExtImpOwnAdx::getSspId).orElse(StringUtils.EMPTY))
+                .replace(SEAT_ID_MACROS_ENDPOINT,
+                        HttpUtil.validatePathSegment(ownAdx.map(ExtImpOwnAdx::getSeatId).orElse(StringUtils.EMPTY)))
+                .replace(SSP_ID_MACROS_ENDPOINT,
+                        HttpUtil.validatePathSegment(ownAdx.map(ExtImpOwnAdx::getSspId).orElse(StringUtils.EMPTY)))
                 .replace(TOKEN_ID_MACROS_ENDPOINT, ownAdx.map(ExtImpOwnAdx::getTokenId).orElse(StringUtils.EMPTY));
     }
 
diff --git a/src/main/java/org/prebid/server/bidder/rediads/RediadsBidder.java b/src/main/java/org/prebid/server/bidder/rediads/RediadsBidder.java
@@ -125,7 +125,8 @@ private static App modifyApp(App app, String accountId) {
     }
 
     private String resolveEndpointUrl(String subdomain) {
-        return endpointUrl.replace(SUBDOMAIN_MACRO, StringUtils.defaultIfBlank(subdomain, defaultSubdomain));
+        return endpointUrl.replace(
+                SUBDOMAIN_MACRO, HttpUtil.validateDomainName(StringUtils.defaultIfBlank(subdomain, defaultSubdomain)));
     }
 
     @Override
diff --git a/src/main/java/org/prebid/server/bidder/relevantdigital/RelevantDigitalBidder.java b/src/main/java/org/prebid/server/bidder/relevantdigital/RelevantDigitalBidder.java
@@ -174,7 +174,7 @@ private String makeUrl(String host) {
                 .replace("http://", "")
                 .replace("https://", "")
                 .replace(".relevant-digital.com", "");
-        return endpointUrl.replace(HOST_MACRO, modifiedHost);
+        return endpointUrl.replace(HOST_MACRO, HttpUtil.validateDomainName(modifiedHost));
     }
 
     private static MultiMap makeHeaders(BidRequest bidRequest) {
diff --git a/src/main/java/org/prebid/server/bidder/roulax/RoulaxBidder.java b/src/main/java/org/prebid/server/bidder/roulax/RoulaxBidder.java
@@ -66,7 +66,8 @@ private ExtImpRoulax parseImpExt(Imp imp) {
 
     private String resolveEndpoint(ExtImpRoulax extImpRoulax) {
         return endpointUrl
-                .replace(PUBLISHER_PATH_MACRO, StringUtils.defaultString(extImpRoulax.getPublisherPath()).trim())
+                .replace(PUBLISHER_PATH_MACRO,
+                        HttpUtil.validatePathSegment(StringUtils.defaultString(extImpRoulax.getPublisherPath()).trim()))
                 .replace(ACCOUNT_ID_MACRO, StringUtils.defaultString(extImpRoulax.getPid()).trim());
     }
 
diff --git a/src/main/java/org/prebid/server/bidder/silvermob/SilvermobBidder.java b/src/main/java/org/prebid/server/bidder/silvermob/SilvermobBidder.java
@@ -104,8 +104,8 @@ private static Boolean isInvalidHost(String host) {
 
     private String resolveEndpoint(ExtImpSilvermob extImp) {
         return endpointUrl
-                .replace(URL_HOST_MACRO, extImp.getHost())
-                .replace(URL_ZONE_ID_MACRO, HttpUtil.encodeUrl(extImp.getZoneId()));
+                .replace(URL_HOST_MACRO, HttpUtil.validateDomainName(extImp.getHost()))
+                .replace(URL_ZONE_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(extImp.getZoneId())));
     }
 
     private static MultiMap resolveHeaders(Device device) {
diff --git a/src/main/java/org/prebid/server/bidder/smartyads/SmartyAdsBidder.java b/src/main/java/org/prebid/server/bidder/smartyads/SmartyAdsBidder.java
@@ -97,7 +97,7 @@ private static Imp updateImp(Imp imp) {
 
     private String resolveUrl(ExtImpSmartyAds extImp) {
         return endpointUrl
-                .replace(URL_HOST_MACRO, extImp.getHost())
+                .replace(URL_HOST_MACRO, HttpUtil.validateDomainName(extImp.getHost()))
                 .replace(URL_SOURCE_ID_MACRO, HttpUtil.encodeUrl(extImp.getSourceId()))
                 .replace(URL_ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(extImp.getAccountId()));
     }
diff --git a/src/main/java/org/prebid/server/bidder/smilewanted/SmileWantedBidder.java b/src/main/java/org/prebid/server/bidder/smilewanted/SmileWantedBidder.java
@@ -56,7 +56,8 @@ public Result<List<HttpRequest<BidRequest>>> makeHttpRequests(BidRequest request
         }
 
         final BidRequest outgoingRequest = request.toBuilder().at(DEFAULT_AT).build();
-        final String url = endpointUrl.replace(ZONE_ID_MACRO, HttpUtil.encodeUrl(extImpSmilewanted.getZoneId()));
+        final String url = endpointUrl.replace(
+                ZONE_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(extImpSmilewanted.getZoneId())));
 
         return Result.withValue(BidderUtil.defaultRequest(
                 outgoingRequest,
diff --git a/src/main/java/org/prebid/server/bidder/tappx/TappxBidder.java b/src/main/java/org/prebid/server/bidder/tappx/TappxBidder.java
@@ -23,6 +23,7 @@
 import org.prebid.server.proto.openrtb.ext.request.tappx.ExtImpTappx;
 import org.prebid.server.proto.openrtb.ext.response.BidType;
 import org.prebid.server.util.BidderUtil;
+import org.prebid.server.util.HttpUtil;
 
 import java.math.BigDecimal;
 import java.net.URISyntaxException;
@@ -101,7 +102,8 @@ private String resolveUrl(ExtImpTappx extImpTappx, Integer test) {
 
         if (!isNewEndpoint) {
             final List<String> pathSegments = uriBuilder.getPathSegments();
-            uriBuilder.setPathSegments(ListUtils.union(pathSegments, Collections.singletonList(subdomain)));
+            uriBuilder.setPathSegments(ListUtils.union(pathSegments,
+                    Collections.singletonList(HttpUtil.validatePathSegment(subdomain))));
         }
 
         uriBuilder.addParameter("tappxkey", extImpTappx.getTappxkey());
diff --git a/src/main/java/org/prebid/server/bidder/thetradedesk/TheTradeDeskBidder.java b/src/main/java/org/prebid/server/bidder/thetradedesk/TheTradeDeskBidder.java
@@ -175,7 +175,8 @@ private static App modifyApp(BidRequest request, String publisherId) {
     private String resolveEndpoint(String sourceSupplyId) {
         return endpointUrl.replace(
                 SUPPLY_ID_MACRO,
-                HttpUtil.encodeUrl(StringUtils.defaultString(ObjectUtils.defaultIfNull(sourceSupplyId, supplyId))));
+                HttpUtil.encodeUrl(HttpUtil.validatePathSegment(
+                        StringUtils.defaultString(ObjectUtils.defaultIfNull(sourceSupplyId, supplyId)))));
     }
 
     @Override
diff --git a/src/main/java/org/prebid/server/bidder/tradplus/TradPlusBidder.java b/src/main/java/org/prebid/server/bidder/tradplus/TradPlusBidder.java
@@ -79,8 +79,9 @@ private void validateImpExt(ExtImpTradPlus extImpTradPlus) {
     private HttpRequest<BidRequest> makeHttpRequest(ExtImpTradPlus extImpTradPlus, List<Imp> imps,
                                                     BidRequest bidRequest) {
         final String uri;
-        uri = endpointUrl.replace(ZONE_ID, extImpTradPlus.getZoneId()).replace(ACCOUNT_ID,
-                extImpTradPlus.getAccountId());
+        uri = endpointUrl
+                .replace(ZONE_ID, HttpUtil.validateDomainName(extImpTradPlus.getZoneId()))
+                .replace(ACCOUNT_ID, HttpUtil.validatePathSegment(extImpTradPlus.getAccountId()));
 
         final BidRequest outgoingRequest = bidRequest.toBuilder().imp(removeImpsExt(imps)).build();
 
diff --git a/src/main/java/org/prebid/server/bidder/trafficgate/TrafficGateBidder.java b/src/main/java/org/prebid/server/bidder/trafficgate/TrafficGateBidder.java
@@ -65,7 +65,7 @@ private HttpRequest<BidRequest> createSingleRequest(ExtImpTrafficGate extImpTraf
     }
 
     private String resolveHost(ExtImpTrafficGate extImpTrafficGate) {
-        return endpointUrl.replace(SUBDOMAIN_MACRO, extImpTrafficGate.getHost());
+        return endpointUrl.replace(SUBDOMAIN_MACRO, HttpUtil.validateDomainName(extImpTrafficGate.getHost()));
     }
 
     private ExtImpTrafficGate parseImpExt(Imp imp) {
diff --git a/src/main/java/org/prebid/server/bidder/ucfunnel/UcfunnelBidder.java b/src/main/java/org/prebid/server/bidder/ucfunnel/UcfunnelBidder.java
@@ -63,7 +63,8 @@ public Result<List<HttpRequest<BidRequest>>> makeHttpRequests(BidRequest request
             errors.add(BidderError.badInput(e.getMessage()));
         }
 
-        final String requestUrl = "%s/%s/request".formatted(endpointUrl, HttpUtil.encodeUrl(partnerId));
+        final String requestUrl = "%s/%s/request".formatted(endpointUrl,
+                HttpUtil.encodeUrl(HttpUtil.validatePathSegment(partnerId)));
 
         return Result.of(Collections.singletonList(BidderUtil.defaultRequest(request, requestUrl, mapper)),
                 errors);
diff --git a/src/main/java/org/prebid/server/bidder/vidazoo/VidazooBidder.java b/src/main/java/org/prebid/server/bidder/vidazoo/VidazooBidder.java
@@ -68,7 +68,8 @@ private VidazooImpExt parseImpExt(Imp imp) throws PreBidException {
 
     private HttpRequest<BidRequest> makeHttpRequest(BidRequest bidRequest, Imp imp, VidazooImpExt impExt) {
         final BidRequest modifiedBidRequest = bidRequest.toBuilder().imp(Collections.singletonList(imp)).build();
-        final String uri = endpointUrl + HttpUtil.encodeUrl(StringUtils.defaultString(impExt.getConnectionId()).trim());
+        final String uri = endpointUrl + HttpUtil.encodeUrl(
+                HttpUtil.validatePathSegment(StringUtils.defaultString(impExt.getConnectionId()).trim()));
 
         return BidderUtil.defaultRequest(modifiedBidRequest, uri, mapper);
     }
diff --git a/src/main/java/org/prebid/server/bidder/yeahmobi/YeahmobiBidder.java b/src/main/java/org/prebid/server/bidder/yeahmobi/YeahmobiBidder.java
@@ -120,7 +120,7 @@ private String resolveNativeRequest(String nativeRequest) {
     private HttpRequest<BidRequest> makeHttpRequest(BidRequest request, String zoneId) {
         return BidderUtil.defaultRequest(
                 request,
-                endpointUrl.replace(HOST_MACRO, HOST_PATTERN.formatted(zoneId)),
+                endpointUrl.replace(HOST_MACRO, HttpUtil.validateDomainName(HOST_PATTERN.formatted(zoneId))),
                 mapper);
     }
 
diff --git a/src/main/java/org/prebid/server/bidder/yieldlab/YieldlabBidder.java b/src/main/java/org/prebid/server/bidder/yieldlab/YieldlabBidder.java
@@ -153,7 +153,8 @@ private ExtImpYieldlab parseImpExt(Imp imp) {
     }
 
     private String makeUrl(ExtImpYieldlab extImpYieldlab, BidRequest request, Map<String, ExtImpYieldlab> extImps) {
-        final String updatedPath = "%s/%s".formatted(endpointUrl, extImpYieldlab.getAdslotId());
+        final String updatedPath = "%s/%s".formatted(
+                endpointUrl, HttpUtil.validatePathSegment(extImpYieldlab.getAdslotId()));
 
         final URIBuilder uriBuilder;
         try {
@@ -546,9 +547,9 @@ private String makeNurl(BidRequest bidRequest, ExtImpYieldlab extImp, YieldlabBi
         }
 
         return AD_SOURCE_URL.formatted(
-                extImp.getAdslotId(),
-                extImp.getSupplyId(),
-                yieldlabBid.getAdSize(),
+                HttpUtil.validatePathSegment(extImp.getAdslotId()),
+                HttpUtil.validatePathSegment(extImp.getSupplyId()),
+                HttpUtil.validatePathSegment(yieldlabBid.getAdSize()),
                 uriBuilder.toString().replace("?", ""));
     }
 
diff --git a/src/main/java/org/prebid/server/bidder/zeroclickfraud/ZeroclickfraudBidder.java b/src/main/java/org/prebid/server/bidder/zeroclickfraud/ZeroclickfraudBidder.java
@@ -90,7 +90,7 @@ private ExtImpZeroclickfraud parseAndValidateImpExt(ObjectNode extNode) {
     private HttpRequest<BidRequest> makeHttpRequest(ExtImpZeroclickfraud extImpZeroclickfraud, List<Imp> imps,
                                                     BidRequest bidRequest) {
         final String uri = endpointTemplate
-                .replace(HOST, extImpZeroclickfraud.getHost())
+                .replace(HOST, HttpUtil.validateDomainName(extImpZeroclickfraud.getHost()))
                 .replace(SOURCE_ID, extImpZeroclickfraud.getSourceId().toString());
 
         final BidRequest outgoingRequest = bidRequest.toBuilder().imp(imps).build();
diff --git a/src/main/java/org/prebid/server/util/HttpUtil.java b/src/main/java/org/prebid/server/util/HttpUtil.java
diff --git a/src/main/resources/bidder-config/clydo.yaml b/src/main/resources/bidder-config/clydo.yaml
diff --git a/src/test/java/org/prebid/server/util/HttpUtilTest.java b/src/test/java/org/prebid/server/util/HttpUtilTest.java

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ private ExtImpAcuityads parseImpExt(Imp imp) {`
`95`	`95`
`96`	`96`	`private String resolveEndpoint(String host, String accountId) {`
`97`	`97`	`return endpointUrl`
`98`		`- .replace(URL_HOST_MACRO, StringUtils.stripToEmpty(host))`
	`98`	`+ .replace(URL_HOST_MACRO, HttpUtil.validateDomainName(StringUtils.stripToEmpty(host)))`
`99`	`99`	`.replace(URL_ACCOUNT_ID_MACRO, StringUtils.stripToEmpty(accountId));`
`100`	`100`	`}`
`101`	`101`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ private ExtImpAdhese parseImpExt(Imp imp) {`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`private String getUrl(ExtImpAdhese extImpAdhese) {`
`81`		`- return endpointUrl.replace("{{AccountId}}", extImpAdhese.getAccount());`
	`81`	`+ return endpointUrl.replace("{{AccountId}}", HttpUtil.validateDomainName(extImpAdhese.getAccount()));`
`82`	`82`	`}`
`83`	`83`
`84`	`84`	`private BidRequest modifyBidRequest(BidRequest bidRequest, ExtImpAdhese extImpAdhese) {`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ private ExtImpAdtonos parseImpExt(Imp imp) {`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`private String makeUrl(ExtImpAdtonos extImp) {`
`66`		`- return endpointUrl.replace(PUBLISHER_ID_MACRO, extImp.getSupplierId());`
	`66`	`+ return endpointUrl.replace(PUBLISHER_ID_MACRO, HttpUtil.validatePathSegment(extImp.getSupplierId()));`
`67`	`67`	`}`
`68`	`68`
`69`	`69`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ private static Banner resolveBanner(Banner banner) {`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`private String resolveEndpoint(String accountId) {`
`134`		`- return endpointUrl.replace(ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(accountId));`
	`134`	`+ return endpointUrl.replace(ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(accountId)));`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ private ExtImpAxonix parseImpExt(Imp imp) {`
`67`	`67`	`}`
`68`	`68`
`69`	`69`	`private String resolveEndpoint(String supplyId) {`
`70`		`- return endpointUrl.replace(URL_SUPPLY_ID_MACRO, HttpUtil.encodeUrl(supplyId));`
	`70`	`+ return endpointUrl.replace(URL_SUPPLY_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(supplyId)));`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -142,9 +142,9 @@ private static boolean isMissedRewardedBattr(List<Integer> battr) {`
`142`	`142`	`}`
`143`	`143`
`144`	`144`	`private String buildEndpointUrl(ExtImpBidmachine extImpBidmachine) {`
`145`		`- return endpointUrl.replace("{{HOST}}", extImpBidmachine.getHost())`
`146`		`- .replace("{{PATH}}", extImpBidmachine.getPath())`
`147`		`- .replace("{{SELLER_ID}}", extImpBidmachine.getSellerId());`
	`145`	`+ return endpointUrl.replace("{{HOST}}", HttpUtil.validateDomainName(extImpBidmachine.getHost()))`
	`146`	`+ .replace("{{PATH}}", HttpUtil.validatePathSegment(extImpBidmachine.getPath()))`
	`147`	`+ .replace("{{SELLER_ID}}", HttpUtil.validatePathSegment(extImpBidmachine.getSellerId()));`
`148`	`148`	`}`
`149`	`149`
`150`	`150`	`private ExtPrebid<ExtImpPrebid, ExtImpBidmachine> parseImpExt(Imp imp) {`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ private static MultiMap makeHeaders(String supplyId) {`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`private String makeUrl(String supplyId) {`
`75`		`- return endpointUrl.replace(SUPPLY_ID_MACRO, HttpUtil.encodeUrl(supplyId));`
	`75`	`+ return endpointUrl.replace(SUPPLY_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(supplyId)));`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ private static MultiMap constructHeaders(BidRequest bidRequest) {`
`111`	`111`	`private static String resolveUrl(String endpoint, ExtImpClydo extImp) {`
`112`	`112`	`return endpoint`
`113`	`113`	`.replace(REGION_MACRO, getRegionInfo(extImp))`
`114`		`- .replace(PARTNER_ID_MACRO, HttpUtil.encodeUrl(extImp.getPartnerId()));`
	`114`	`+ .replace(PARTNER_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(extImp.getPartnerId())));`
`115`	`115`	`}`
`116`	`116`
`117`	`117`	`private static String getRegionInfo(ExtImpClydo extImp) {`
Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ private static User modifyUser(User user) {`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`private String makeUrl(String customerId) {`
`132`		`- return endpointUrl.replace(ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(customerId));`
	`132`	`+ return endpointUrl.replace(ACCOUNT_ID_MACRO, HttpUtil.encodeUrl(HttpUtil.validatePathSegment(customerId)));`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ private ExtImpElementalTV parseAndValidateImpExt(Imp imp) {`
`86`	`86`	`private String resolveUrl(ExtImpElementalTV extImp) {`
`87`	`87`	`try {`
`88`	`88`	`return endpointTemplate`
`89`		`- .replace("{{AdUnit}}", HttpUtil.encodeUrl(extImp.getAdunit()));`
	`89`	`+ .replace("{{AdUnit}}", HttpUtil.encodeUrl(HttpUtil.validatePathSegment(extImp.getAdunit())));`
`90`	`90`	`} catch (Exception e) {`
`91`	`91`	`throw new PreBidException(e.getMessage());`
`92`	`92`	`}`