"Ambiguous URI encoding" error when calling HttpServletRequest#getServletPath() on jetty-ee10-servlet despite a custom `uriCompliance`

[tmortagne]

trafficstars

Jetty version(s)

Jetty 12.0.12

Jetty Environment

ee10

Java version/vendor (use: java -version)

openjdk version "21.0.3" 2024-04-16
OpenJDK Runtime Environment (build 21.0.3+9-Ubuntu-1ubuntu1)
OpenJDK 64-Bit Server VM (build 21.0.3+9-Ubuntu-1ubuntu1, mixed mode, sharing)

OS type/version

Ubuntu 24.04.

Description

I modified jetty.xml to set UNSAFE as uriCompliance (not really my target compliance, but wanted to be extra sure) and I can definitely access resources with %2F in the URL for example.

But when I try to use HttpServletRequest#getServletPatht() I end up with the following stack trace:

org.eclipse.jetty.http.HttpException$IllegalArgumentException: 400: Ambiguous URI encoding: AMBIGUOUS_PATH_SEPARATOR
	at org.eclipse.jetty.ee10.servlet.ServletApiRequest$AmbiguousURI.getServletPath(ServletApiRequest.java:1461)
	at jakarta.servlet.http.HttpServletRequestWrapper.getServletPath(HttpServletRequestWrapper.java:213)
	at jakarta.servlet.http.HttpServletRequestWrapper.getServletPath(HttpServletRequestWrapper.java:213)
	at jakarta.servlet.http.HttpServletRequestWrapper.getServletPath(HttpServletRequestWrapper.java:213)
    ...

After some debugging, I tracked the root cause to https://github.com/jetty/jetty.project/blob/jetty-12.0.12/jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletContextRequest.java#L201:

// TODO we should check if current compliance mode allows all the violations?

Any idea if there is something I can do to workaround this, or the only way is for this TODO to be resolved ?