Add test for invalid encoding

dwalluck · dwalluck · commit 143e6239e485 · 2025-03-11T15:52:00.000-04:00
diff --git a/src/main/java/com/github/packageurl/PackageURL.java b/src/main/java/com/github/packageurl/PackageURL.java
@@ -25,6 +25,7 @@
 import java.io.Serializable;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Collections;
@@ -34,6 +35,7 @@
 import java.util.function.IntPredicate;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
+import java.util.stream.IntStream;
 
 /**
  * <p>Package-URL (aka purl) is a "mostly universal" URL to describe a package. A purl is a URL composed of seven components:</p>
@@ -436,18 +438,18 @@ private String canonicalize(boolean coordinatesOnly) {
             purl.append("/");
         }
         if (name != null) {
-            purl.append(uriEncode(name));
+            purl.append(percentEncode(name));
         }
         if (version != null) {
-            purl.append("@").append(uriEncode(version));
+            purl.append("@").append(percentEncode(version));
         }
         if (! coordinatesOnly) {
             if (qualifiers != null && !qualifiers.isEmpty()) {
                 purl.append("?");
                 qualifiers.entrySet().stream().forEachOrdered(entry -> {
                     purl.append(toLowerCase(entry.getKey()));
                     purl.append("=");
-                    purl.append(uriEncode(entry.getValue()));
+                    purl.append(percentEncode(entry.getValue()));
                     purl.append("&");
                 });
                 purl.setLength(purl.length() - 1);
@@ -459,55 +461,14 @@ private String canonicalize(boolean coordinatesOnly) {
         return purl.toString();
     }
 
-    private static String uriEncode(final String source) {
-        if (source == null || source.isEmpty()) {
-            return source;
-        }
-
-        byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
-        int length = bytes.length;
-        int pos = indexOfFirstUnsafeChar(bytes);
-
-        if (pos == -1) {
-            return source;
-        }
-
-        StringBuilder sb = new StringBuilder(length * 3);
-        sb.append(source, 0, pos);
-
-        for (int i = pos; i < bytes.length; i++) {
-            byte b = bytes[i];
-
-            if (isUnreserved(b)) {
-                sb.append((char) b);
-            } else {
-                sb.append('%');
-                sb.append(Character.toUpperCase(Character.forDigit((b >> 4) & 0xF, 16)));
-                sb.append(Character.toUpperCase(Character.forDigit(b & 0xF, 16)));
-            }
-        }
-
-        return sb.toString();
-    }
-
-    private static int indexOfFirstUnsafeChar(final byte[] bytes) {
-        final int length = bytes.length;
-        int pos = -1;
-
-        for (int i = 0; i < length; i++) {
-            if (!isUnreserved(bytes[i])) {
-                pos = i;
-                break;
-            }
-        }
-
-        return pos;
-    }
-
     private static boolean isUnreserved(int c) {
         return (isValidCharForKey(c) || c == '~');
     }
 
+    private static boolean shouldEncode(int c) {
+        return !isUnreserved(c);
+    }
+
     private static boolean isAlpha(int c) {
         return (isLowerCase(c) || isUpperCase(c));
     }
@@ -563,39 +524,81 @@ private static String toLowerCase(String s) {
         return new String(chars);
     }
 
-    public static String uriDecode(final String source) {
+    private static String percentDecode(final String source) {
         if (source == null || source.isEmpty()) {
             return source;
         }
 
-        int percent = source.indexOf('%');
+        byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
+        int percentCharCount = getPercentCharCount(bytes);
 
-        if (percent == -1) {
+        if (percentCharCount == 0) {
             return source;
         }
 
-        byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
         int length = bytes.length;
-        ByteArrayOutputStream buffer = new ByteArrayOutputStream(length);
-        buffer.write(bytes, 0, percent);
+        int capacity = (length + percentCharCount) - (percentCharCount * 3);
+        ByteBuffer buffer = ByteBuffer.allocate(capacity);
 
-        for (int i = percent; i < length; i++) {
+        for (int i = 0; i < length; i++) {
             int b = bytes[i];
 
             if (b == '%') {
-                    if (i + 2 >= length) {
-                        return null;
-                    }
+                int b1 = Character.digit(bytes[++i], 16);
+                int b2 = Character.digit(bytes[++i], 16);
+                buffer.put((byte) ((b1 << 4) + b2));
+            } else {
+                buffer.put((byte) b);
+            }
+        }
+
+        return new String(buffer.array(),StandardCharsets.UTF_8);
+    }
+
+    @Deprecated
+    public String uriDecode(final String source) {
+        return percentDecode(source);
+    }
+
+    private static int getUnsafeCharCount(final byte[] bytes) {
+        return (int)  IntStream.range(0, bytes.length).map(i -> bytes[i]).filter(PackageURL::shouldEncode).count();
+    }
 
-                    int b1 = Character.digit(bytes[++i], 16);
-                    int b2 = Character.digit(bytes[++i], 16);
-                    buffer.write((char) ((b1 << 4) + b2));
+    private static boolean isPercent(int c) {
+        return (c == '%');
+    }
+
+    private static int getPercentCharCount(final byte[] bytes) {
+        return (int)  IntStream.range(0, bytes.length).map(i -> bytes[i]).filter(PackageURL::isPercent).count();
+    }
+
+    private static String percentEncode(final String source) {
+        if (source == null || source.isEmpty()) {
+            return source;
+        }
+
+        byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
+        int unsafeCharCount = getUnsafeCharCount(bytes);
+
+        if (unsafeCharCount == 0) {
+            return source;
+        }
+
+        int length = bytes.length;
+        int capacity = (length - unsafeCharCount) + (3 * unsafeCharCount);
+        ByteBuffer bb = ByteBuffer.allocate(capacity);
+
+        for (byte b : bytes) {
+            if (shouldEncode(b)) {
+                bb.put((byte) '%');
+                bb.put((byte) Character.toUpperCase(Character.forDigit((b >> 4) & 0xF, 16)));
+                bb.put((byte) Character.toUpperCase(Character.forDigit(b & 0xF, 16)));
             } else {
-                buffer.write(b);
+                bb.put(b);
             }
         }
 
-        return new String(buffer.toByteArray(), StandardCharsets.UTF_8);
+        return new String(bb.array(), StandardCharsets.UTF_8);
     }
 
     /**
@@ -749,7 +752,7 @@ private String[] parsePath(final String value, final boolean isSubpath) {
     }
 
     private String encodePath(final String path) {
-        return Arrays.stream(path.split("/")).map(segment -> uriEncode(segment)).collect(Collectors.joining("/"));
+        return Arrays.stream(path.split("/")).map(segment -> percentEncode(segment)).collect(Collectors.joining("/"));
     }
 
     /**
diff --git a/src/test/java/com/github/packageurl/PackageURLTest.java b/src/test/java/com/github/packageurl/PackageURLTest.java
@@ -83,6 +83,12 @@ public void testEncoding2() throws MalformedPackageURLException {
         Assert.assertEquals("pkg:nuget/%D0%9Cicros%D0%BEft.%D0%95ntit%D1%83Fram%D0%B5work%D0%A1%D0%BEr%D0%B5", purl.toString());
     }
 
+    @Test
+    public void testInvalidPercentEncoding() {
+        Assert.assertThrows(MalformedPackageURLException.class, () -> new PackageURL("pkg:maven/com.google.summit/summit-ast@2.2.0%"));
+        Assert.assertThrows(MalformedPackageURLException.class, () -> new PackageURL("pkg:maven/com.google.summit/summit-ast@2.2.0%0"));
+    }
+
     @Test
     public void testConstructorParsing() throws Exception {
         exception = ExpectedException.none();
