satisfy github scanning - ssrf

eclipse-edc · Jan 21, 2025 · 645661d · 645661d
1 parent cce1196
commit 645661d
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/...shicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultSignatureService.java b/...shicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultSignatureService.java
@@ -16,6 +16,7 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import okhttp3.HttpUrl;
 import okhttp3.Request;
 import okhttp3.RequestBody;
 import org.eclipse.edc.http.spi.EdcHttpClient;
@@ -64,7 +65,12 @@ public HashicorpVaultSignatureService(Monitor monitor, HashicorpVaultSettings se
     @Override
     public Result<byte[]> sign(String key, byte[] payload, String signatureAlgorithm) {
 
-        var url = settings.url() + settings.secretsEnginePath() + "/sign/" + key;
+        var url = HttpUrl.parse(settings.url())
+                .newBuilder()
+                .addPathSegments(secretPath())
+                .addPathSegment("sign")
+                .addPathSegment(key)
+                .build();
 
         // omit key version from request body -> we'll always sign with the latest one
         var body = Map.of("input", Base64.getEncoder().encodeToString(payload));
@@ -121,7 +127,12 @@ private RequestBody jsonBody(Object body) {
     @Override
     public Result<Void> verify(String key, byte[] signingInput, byte[] signature, String signatureAlgorithm) {
         //why using resolve: addPathSegments would prepend another "/", and addPathSegment would url-encode the path
-        var url = settings.url() + settings.secretsEnginePath() + "/verify/" + key;
+        var url = HttpUrl.parse(settings.url())
+                .newBuilder()
+                .addPathSegments(secretPath())
+                .addPathSegment("verify")
+                .addPathSegment(key)
+                .build();
 
         // omit key version from request body -> we'll always sign with the latest one
         var body = Map.of("input", Base64.getEncoder().encodeToString(signingInput),
@@ -154,6 +165,10 @@ public Result<Void> verify(String key, byte[] signingInput, byte[] signature, St
         }
     }
 
+    private String secretPath() {
+        return settings.secretsEnginePath().replaceFirst("/", ""); //chop off leading slash for HttpUrl builder
+    }
+
     /**
      * Rotates the key in Hashicorp Transit engine.
      *
@@ -163,7 +178,13 @@ public Result<Void> verify(String key, byte[] signingInput, byte[] signature, St
      */
     @Override
     public Result<Void> rotate(String key, Map<String, Object> ignored) {
-        var url = settings.url() + settings.secretsEnginePath() + "/keys/" + key + "/rotate";
+        var url = HttpUrl.parse(settings.url())
+                .newBuilder()
+                .addPathSegments(secretPath())
+                .addPathSegment("keys")
+                .addPathSegment(key)
+                .addPathSegments("rotate")
+                .build();
 
         var request = new Request.Builder()
                 .url(url)