From ac9f68ea52d25c9a5dd237078c64284539cef599 Mon Sep 17 00:00:00 2001
From: "Dr. Christoph \"Schorsch\" Jung" <c-jung@t-systems.com>
Date: Thu, 16 May 2024 13:20:08 +0200
Subject: [PATCH] fix: important code smells/forgery threats as of codeql
 results 2024-05-16

---
 .../tractusx/agents/http/DelegationServiceImpl.java       | 8 ++++----
 .../org/eclipse/tractusx/agents/http/GraphController.java | 2 +-
 pom.xml                                                   | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/DelegationServiceImpl.java b/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/DelegationServiceImpl.java
index acf4f1b..b02fb2e 100644
--- a/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/DelegationServiceImpl.java
+++ b/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/DelegationServiceImpl.java
@@ -185,8 +185,8 @@ public DelegationResponse sendPostRequest(EndpointDataReference dataReference, S
         return new DelegationResponse(sendRequest(newRequest, response), Response.status(response.getStatus()).build());
     }
 
-    protected static final Pattern PARAMETER_KEY_ALLOW = Pattern.compile("^(?!asset$)[^&?=]+$");
-    protected static final Pattern PARAMETER_VALUE_ALLOW = Pattern.compile("^.+$");
+    protected static final Pattern PARAMETER_KEY_ALLOW = Pattern.compile("^(?<param>(?!asset$)[^&?=]+)$");
+    protected static final Pattern PARAMETER_VALUE_ALLOW = Pattern.compile("^(?<value>[^&]+)$");
 
     /**
      * computes the url to target the given data plane
@@ -213,11 +213,11 @@ protected HttpUrl getUrl(String connectorUrl, String subUrl, HttpHeaders headers
             String key = param.getKey();
             Matcher keyMatcher = PARAMETER_KEY_ALLOW.matcher(key);
             if (keyMatcher.matches()) {
+                String recodeKey = HttpUtils.urlEncodeParameter(keyMatcher.group("param"));
                 for (String value : param.getValue()) {
                     Matcher valueMatcher = PARAMETER_VALUE_ALLOW.matcher(value);
                     if (valueMatcher.matches()) {
-                        String recodeKey = HttpUtils.urlEncodeParameter(keyMatcher.group());
-                        String recodeValue = HttpUtils.urlEncodeParameter(valueMatcher.group());
+                        String recodeValue = HttpUtils.urlEncodeParameter(valueMatcher.group("value"));
                         httpBuilder = httpBuilder.addQueryParameter(recodeKey, recodeValue);
                     }
                 }
diff --git a/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/GraphController.java b/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/GraphController.java
index d07a09d..452f04f 100644
--- a/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/GraphController.java
+++ b/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/GraphController.java
@@ -153,7 +153,7 @@ public Response deleteAsset(@QueryParam("asset") String asset,
         try {
             Matcher assetMatcher = config.getAssetReferencePattern().matcher(asset);
             if (assetMatcher.matches()) {
-                management.deleteAsset(assetMatcher.group());
+                management.deleteAsset(assetMatcher.group("asset"));
                 return Response.ok(store.deleteAsset(asset), MediaType.APPLICATION_JSON_TYPE).build();
             } else {
                 return Response.status(Response.Status.NOT_ACCEPTABLE).build();
diff --git a/pom.xml b/pom.xml
index 0e83dfe..1f107c4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -59,7 +59,7 @@
         <guava.version>32.1.2-jre</guava.version>
         <tomcat.version>9.0.83</tomcat.version>
         <netty.version>4.1.101.Final</netty.version>
-        <jetty.version>9.4.53.v20231009</jetty.version>
+        <jetty.version>9.4.54.v20240208</jetty.version>
         <org.yaml.snakeyaml.version>2.2</org.yaml.snakeyaml.version>
         <snappy.version>1.1.10.5</snappy.version>
         <postgres.version>42.7.2</postgres.version>