twilio-java icon indicating copy to clipboard operation
twilio-java copied to clipboard
verified publisher icon twilio

Fix RequestValidator URL encoding preservation during port manipulation

Open Copilot opened this issue 3 months ago • 2 comments

The RequestValidator.validate method was incorrectly decoding URL-encoded characters when manipulating ports, causing validation failures for URLs with encoded query parameters, paths, or user info.

Problem

When validating URLs with ports, the updatePort method was using decoded URI components (getPath(), getQuery(), getFragment(), getUserInfo()), which automatically decoded URL-encoded characters. This caused URLs like:

https://someurl.com:443/somepath?param1=client%3AAnonymous

to be incorrectly converted to:

https://someurl.com/somepath?param1=client:Anonymous

This resulted in different signature validation for equivalent URLs with and without explicit ports.

Solution

Updated the updatePort method to use raw URI components that preserve original encoding:

  • getUserInfo()getRawUserInfo()
  • getPath()getRawPath()
  • getQuery()getRawQuery()
  • getFragment()getRawFragment()

The method now manually constructs URLs using a StringBuilder to avoid the automatic encoding performed by the URI constructor.

Testing

  • All existing tests continue to pass (12/12)
  • Added testValidatePreservesUrlEncodingInQuery to prevent regression
  • Verified the original issue example now works correctly
  • Tested edge cases including encoded userinfo, fragments, and multiple encoded characters

Example that now works correctly:

String url1 = "https://someurl.com/somepath?param1=client%3AAnonymous";
String url2 = "https://someurl.com:443/somepath?param1=client%3AAnonymous";
String signature = "PM+bjB+ITJ9a3LIYStKWOTMZMlU=";
RequestValidator r = new RequestValidator("1234567890");

// Both now return true
r.validate(url1, new HashMap<>(), signature); // true
r.validate(url2, new HashMap<>(), signature); // true

Fixes #601.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Sep 18 '25 10:09 Copilot

@manisha1997 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

Copilot avatar Sep 18 '25 10:09 Copilot

Quality Gate Failed Quality Gate failed

Failed conditions
75.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Sep 18 '25 11:09 sonarqubecloud[bot]