sync with code skills project update

righettod · righettod · commit ed723825707e · 2026-05-01T10:27:16.000+02:00
diff --git a/src/main/java/eu/righettod/SecurityUtils.java b/src/main/java/eu/righettod/SecurityUtils.java
@@ -401,19 +401,25 @@ public static void clearPDFMetadata(PDDocument document) {
      */
     public static boolean isRelativeURL(String targetUrl) {
         boolean isValid = false;
-        //Reject any URL encoded content and URL starting with a double slash
-        //Reject any URL contains credentials or fragment to prevent potential bypasses
         String work = targetUrl;
-        if (!work.contains("%") && !work.contains("@") && !work.contains("#") && !work.startsWith("//")) {
-            //Creation of a URL object must fail
-            try {
-                new URL(work);
-                isValid = false;
-            } catch (MalformedURLException mf) {
-                //Last check to be sure (for prod usage compile the pattern one time)
-                isValid = Pattern.compile("^/[a-z0-9]+", Pattern.CASE_INSENSITIVE).matcher(work).find();
+        Pattern startingPrefix = Pattern.compile("^[/a-zA-Z0-9\\-_].*");
+        //Reject any URL no starting with a slash, letter, number, dash, or underscore
+        if (startingPrefix.matcher(work).find()) {
+            //Reject any URL encoded content and URL starting with a double slash
+            if (!work.startsWith("//") && !work.contains("%")) {
+                //Try to create en URI object
+                try {
+                    URI u = new URI(work);
+                    //Scheme must be null
+                    if (u.getScheme() == null) {
+                        isValid = (!u.isAbsolute());
+                    }
+                } catch (URISyntaxException mf) {
+                    isValid = false;
+                }
             }
         }
+
         return isValid;
     }
 
diff --git a/src/test/java/eu/righettod/TestSecurityUtils.java b/src/test/java/eu/righettod/TestSecurityUtils.java
@@ -166,11 +166,11 @@ public void isZIPSafe() {
 
     @Test
     public void isRelativeURL() {
-        List<String> nonRelativeURLList = Arrays.asList("//righettod.eu", "http://righettod.eu", "https://righettod.eu", "ssh://righettod.eu", "http://login:pass@righettod.eu");
+        List<String> nonRelativeURLList = Arrays.asList("//righettod.eu", "http://righettod.eu", "https://righettod.eu", "ssh://righettod.eu", "ssh://righettod.eu%23");
         nonRelativeURLList.forEach(u -> {
             assertFalse(SecurityUtils.isRelativeURL(u), String.format("URL '%s' must be detected as NOT relative!", u));
         });
-        List<String> relativeURLList = Arrays.asList("/righettod.eu", "/test.jsp");
+        List<String> relativeURLList = Arrays.asList("/righettod.eu", "/test.jsp", "/test.jsp?a=b");
         relativeURLList.forEach(u -> {
             assertTrue(SecurityUtils.isRelativeURL(u), String.format("URL '%s' must be detected as relative!", u));
         });
