private boolean addQueryParameter(StringBuilder b, boolean first, String nextKey, String nextValue) { boolean retVal = first; if (retVal) { b.append('?'); retVal = false; } else { b.append('&'); } b.append(UrlUtil.escapeUrlParam(nextKey)); b.append('='); b.append(UrlUtil.escapeUrlParam(nextValue)); return retVal; }
private static void parseQueryString(String theQueryString, HashMap<String, List<String>> map) { String query = defaultString(theQueryString); if (query.startsWith("?")) { query = query.substring(1); } StringTokenizer tok = new StringTokenizer(query, "&"); while (tok.hasMoreTokens()) { String nextToken = tok.nextToken(); if (isBlank(nextToken)) { continue; } int equalsIndex = nextToken.indexOf('='); String nextValue; String nextKey; if (equalsIndex == -1) { nextKey = nextToken; nextValue = ""; } else { nextKey = nextToken.substring(0, equalsIndex); nextValue = nextToken.substring(equalsIndex + 1); } nextKey = unescape(nextKey); nextValue = unescape(nextValue); List<String> list = map.computeIfAbsent(nextKey, k -> new ArrayList<>()); list.add(nextValue); } }
public void setParameters(Map<String, String[]> theParams) { myParameters = theParams; myUnqualifiedToQualifiedNames = null; // Sanitize keys if necessary to prevent injection attacks boolean needsSanitization = false; for (String nextKey : theParams.keySet()) { if (UrlUtil.isNeedsSanitization(nextKey)) { needsSanitization = true; break; } } if (needsSanitization) { myParameters = myParameters .entrySet() .stream() .collect(Collectors.toMap(t -> UrlUtil.sanitizeUrlPart((String) ((Map.Entry) t).getKey()), t -> (String[]) ((Map.Entry) t).getValue())); } }
public static Map<String, String[]> parseQueryString(String theQueryString) { HashMap<String, List<String>> map = new HashMap<>(); parseQueryString(theQueryString, map); return toQueryStringMap(map); }
/** * Returns the next portion. Any URL-encoding is undone, but we will * HTML encode the < and " marks since they are both * not useful un URL paths in FHIR and potentially represent injection * attacks. * * @see UrlUtil#sanitizeUrlPart(String) * @see UrlUtil#unescape(String) */ public String nextTokenUnescapedAndSanitized() { return UrlUtil.sanitizeUrlPart(UrlUtil.unescape(myTok.nextToken())); }
public synchronized void initCacheMap() { myCacheEntryToNextRefresh.clear(); List<WarmCacheEntry> warmCacheEntries = myDaoConfig.getWarmCacheEntries(); for (WarmCacheEntry next : warmCacheEntries) { // Validate parseWarmUrlParamPart(next.getUrl()); UrlUtil.parseUrlResourceType(myCtx, next.getUrl()); myCacheEntryToNextRefresh.put(next, 0L); } } }
if (theRequestType == RequestTypeEnum.POST && isNotBlank(contentType) && contentType.startsWith(Constants.CT_X_FORM_URLENCODED)) { String requestBody = new String(requestDetails.loadRequestContents(), Constants.CHARSET_UTF8); params = UrlUtil.parseQueryStrings(theRequest.getQueryString(), requestBody); } else if (theRequestType == RequestTypeEnum.GET) { params = UrlUtil.parseQueryString(theRequest.getQueryString()); params = UrlUtil.parseQueryString(theRequest.getQueryString()); } else { params = Collections.emptyMap();
/** * This method specifically HTML-encodes the " and * < characters in order to prevent injection attacks */ public static String sanitizeUrlPart(String theString) { if (theString == null) { return null; } boolean needsSanitization = isNeedsSanitization(theString); if (needsSanitization) { // Ok, we're sanitizing StringBuilder buffer = new StringBuilder(theString.length() + 10); for (int j = 0; j < theString.length(); j++) { char nextChar = theString.charAt(j); switch (nextChar) { case '"': buffer.append("""); break; case '<': buffer.append("<"); break; default: buffer.append(nextChar); break; } } // for build escaped string return buffer.toString(); } return theString; }
/** * Returns the next portion. Any URL-encoding is undone, but we will * HTML encode the < and " marks since they are both * not useful un URL paths in FHIR and potentially represent injection * attacks. * * @see UrlUtil#sanitizeUrlPart(String) * @see UrlUtil#unescape(String) */ public String nextTokenUnescapedAndSanitized() { return UrlUtil.sanitizeUrlPart(UrlUtil.unescape(myTok.nextToken())); }
public static Map<String, String[]> parseQueryStrings(String... theQueryString) { HashMap<String, List<String>> map = new HashMap<>(); for (String next : theQueryString) { parseQueryString(next, map); } return toQueryStringMap(map); }
private void refreshNow(WarmCacheEntry theCacheEntry) { String nextUrl = theCacheEntry.getUrl(); RuntimeResourceDefinition resourceDef = UrlUtil.parseUrlResourceType(myCtx, nextUrl); IFhirResourceDao<?> callingDao = myDaoRegistry.getResourceDao(resourceDef.getName()); String queryPart = parseWarmUrlParamPart(nextUrl); SearchParameterMap responseCriteriaUrl = myMatchUrlService.translateMatchUrl(queryPart, resourceDef); callingDao.search(responseCriteriaUrl); }
if (theRequestType == RequestTypeEnum.POST && isNotBlank(contentType) && contentType.startsWith(Constants.CT_X_FORM_URLENCODED)) { String requestBody = new String(requestDetails.loadRequestContents(), Constants.CHARSET_UTF8); params = UrlUtil.parseQueryStrings(theRequest.getQueryString(), requestBody); } else if (theRequestType == RequestTypeEnum.GET) { params = UrlUtil.parseQueryString(theRequest.getQueryString()); params = UrlUtil.parseQueryString(theRequest.getQueryString()); } else { params = Collections.emptyMap();
/** * This method specifically HTML-encodes the " and * < characters in order to prevent injection attacks */ public static String sanitizeUrlPart(String theString) { if (theString == null) { return null; } boolean needsSanitization = isNeedsSanitization(theString); if (needsSanitization) { // Ok, we're sanitizing StringBuilder buffer = new StringBuilder(theString.length() + 10); for (int j = 0; j < theString.length(); j++) { char nextChar = theString.charAt(j); switch (nextChar) { case '"': buffer.append("""); break; case '<': buffer.append("<"); break; default: buffer.append(nextChar); break; } } // for build escaped string return buffer.toString(); } return theString; }
public static StringBuilder createUrl(String theResourceType, Map<String, List<String>> theMatchParams) { StringBuilder b = new StringBuilder(); b.append(theResourceType); boolean haveQuestionMark = false; for (Entry<String, List<String>> nextEntry : theMatchParams.entrySet()) { for (String nextValue : nextEntry.getValue()) { b.append(haveQuestionMark ? '&' : '?'); haveQuestionMark = true; b.append(UrlUtil.escapeUrlParam(nextEntry.getKey())); b.append('='); b.append(UrlUtil.escapeUrlParam(nextValue)); } } return b; }
switch (fhirContextVersion) { case R4: result.setId(new org.hl7.fhir.r4.model.IdType(myServer.getBaseForRequest(), UrlUtil.unescape(myId), UrlUtil.unescape(myVersion))); break; case DSTU3: result.setId(new org.hl7.fhir.dstu3.model.IdType(myServer.getBaseForRequest(), UrlUtil.unescape(myId), UrlUtil.unescape(myVersion))); break; case DSTU2_1: result.setId(new org.hl7.fhir.dstu2016may.model.IdType(myServer.getBaseForRequest(), UrlUtil.unescape(myId), UrlUtil.unescape(myVersion))); break; case DSTU2_HL7ORG: result.setId(new org.hl7.fhir.instance.model.IdType(myServer.getBaseForRequest(), UrlUtil.unescape(myId), UrlUtil.unescape(myVersion))); break; case DSTU2: result.setId(new ca.uhn.fhir.model.primitive.IdDt(myServer.getBaseForRequest(), UrlUtil.unescape(myId), UrlUtil.unescape(myVersion))); break; default: switch (fhirContextVersion) { case R4: result.setId(new org.hl7.fhir.r4.model.IdType(myServer.getBaseForRequest(), UrlUtil.unescape(myId))); break; case DSTU3: result.setId(new org.hl7.fhir.dstu3.model.IdType(myServer.getBaseForRequest(), UrlUtil.unescape(myId))); break; case DSTU2_1: result.setId(new org.hl7.fhir.dstu2016may.model.IdType(myServer.getBaseForRequest(), UrlUtil.unescape(myId))); break; case DSTU2_HL7ORG:
public static Map<String, String[]> parseQueryString(String theQueryString) { HashMap<String, List<String>> map = new HashMap<>(); parseQueryString(theQueryString, map); return toQueryStringMap(map); }
public void setParameters(Map<String, String[]> theParams) { myParameters = theParams; myUnqualifiedToQualifiedNames = null; // Sanitize keys if necessary to prevent injection attacks boolean needsSanitization = false; for (String nextKey : theParams.keySet()) { if (UrlUtil.isNeedsSanitization(nextKey)) { needsSanitization = true; break; } } if (needsSanitization) { myParameters = myParameters .entrySet() .stream() .collect(Collectors.toMap(t -> UrlUtil.sanitizeUrlPart((String) ((Map.Entry) t).getKey()), t -> (String[]) ((Map.Entry) t).getValue())); } }
RuntimeResourceDefinition resourceDefinition; if (theResource == null) { resourceDefinition = UrlUtil.parseUrlResourceType(myFhirContext, theCriteria); } else { resourceDefinition = myFhirContext.getResourceDefinition(theResource);
/** * Applies {@link #escapeWithDefault(Object)} followed by {@link UrlUtil#escapeUrlParam(String)} */ public static String escapeAndUrlEncode(String theInput) { return UrlUtil.escapeUrlParam(escapeWithDefault(theInput)); }
} else { id = myFhirContext.getVersion().newIdType(); id.setParts(null, resourceName, UrlUtil.unescape(nextString), null); throw new InvalidRequestException("Don't know how to handle request path: " + theRequestPath); id.setParts(null, resourceName, id.getIdPart(), UrlUtil.unescape(versionString)); } else { operation = Constants.PARAM_HISTORY;