From 645661d5123f7396aadeac2d1f939ccfd004d2bd Mon Sep 17 00:00:00 2001
From: Paul Latzelsperger <paul.latzelsperger@beardyinc.com>
Date: Tue, 21 Jan 2025 17:37:01 +0100
Subject: [PATCH] satisfy github scanning - ssrf

---
 .../HashicorpVaultSignatureService.java       | 27 ++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultSignatureService.java b/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultSignatureService.java
index 5717cea216..abc056b43a 100644
--- a/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultSignatureService.java
+++ b/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultSignatureService.java
@@ -16,6 +16,7 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import okhttp3.HttpUrl;
 import okhttp3.Request;
 import okhttp3.RequestBody;
 import org.eclipse.edc.http.spi.EdcHttpClient;
@@ -64,7 +65,12 @@ public HashicorpVaultSignatureService(Monitor monitor, HashicorpVaultSettings se
     @Override
     public Result<byte[]> sign(String key, byte[] payload, String signatureAlgorithm) {
 
-        var url = settings.url() + settings.secretsEnginePath() + "/sign/" + key;
+        var url = HttpUrl.parse(settings.url())
+                .newBuilder()
+                .addPathSegments(secretPath())
+                .addPathSegment("sign")
+                .addPathSegment(key)
+                .build();
 
         // omit key version from request body -> we'll always sign with the latest one
         var body = Map.of("input", Base64.getEncoder().encodeToString(payload));
@@ -121,7 +127,12 @@ private RequestBody jsonBody(Object body) {
     @Override
     public Result<Void> verify(String key, byte[] signingInput, byte[] signature, String signatureAlgorithm) {
         //why using resolve: addPathSegments would prepend another "/", and addPathSegment would url-encode the path
-        var url = settings.url() + settings.secretsEnginePath() + "/verify/" + key;
+        var url = HttpUrl.parse(settings.url())
+                .newBuilder()
+                .addPathSegments(secretPath())
+                .addPathSegment("verify")
+                .addPathSegment(key)
+                .build();
 
         // omit key version from request body -> we'll always sign with the latest one
         var body = Map.of("input", Base64.getEncoder().encodeToString(signingInput),
@@ -154,6 +165,10 @@ public Result<Void> verify(String key, byte[] signingInput, byte[] signature, St
         }
     }
 
+    private String secretPath() {
+        return settings.secretsEnginePath().replaceFirst("/", ""); //chop off leading slash for HttpUrl builder
+    }
+
     /**
      * Rotates the key in Hashicorp Transit engine.
      *
@@ -163,7 +178,13 @@ public Result<Void> verify(String key, byte[] signingInput, byte[] signature, St
      */
     @Override
     public Result<Void> rotate(String key, Map<String, Object> ignored) {
-        var url = settings.url() + settings.secretsEnginePath() + "/keys/" + key + "/rotate";
+        var url = HttpUrl.parse(settings.url())
+                .newBuilder()
+                .addPathSegments(secretPath())
+                .addPathSegment("keys")
+                .addPathSegment(key)
+                .addPathSegments("rotate")
+                .build();
 
         var request = new Request.Builder()
                 .url(url)