Fix URL encoding and decoding

dwalluck · dwalluck · commit c3f02afb9fd3 · 2025-03-13T17:53:57.000-04:00
The methods `uriEncode` and `uriDecode` did not properly handle percent-encoding. In particular, `uriEncode` didn't properly output two uppercase hex digits and `urlDecode` did not properly handle non-ASCII characters. Aditionally, if no percent-encoding was performed, these methods will now return the original string. Fixes #150 Closes #153 Fixes #154
diff --git a/src/main/java/com/github/packageurl/PackageURL.java b/src/main/java/com/github/packageurl/PackageURL.java
@@ -26,6 +26,7 @@
 import java.io.Serializable;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Collections;
@@ -34,6 +35,7 @@
 import java.util.TreeMap;
 import java.util.function.IntPredicate;
 import java.util.stream.Collectors;
+import java.util.stream.IntStream;
 import org.jspecify.annotations.Nullable;
 
 /**
@@ -53,9 +55,10 @@
  * @since 1.0.0
  */
 public final class PackageURL implements Serializable {
-
     private static final long serialVersionUID = 3243226021636427586L;
 
+    private static final char PERCENT_CHAR = '%';
+
     /**
      * Constructs a new PackageURL object by parsing the specified string.
      *
@@ -494,35 +497,14 @@ private String canonicalize(boolean coordinatesOnly) {
         return purl.toString();
     }
 
-    /**
-     * Encodes the input in conformance with RFC 3986.
-     *
-     * @param input the String to encode
-     * @return an encoded String
-     */
-    private String percentEncode(final String input) {
-        if (input.isEmpty()) {
-            return input;
-        }
-
-        StringBuilder builder = new StringBuilder();
-        for (byte b : input.getBytes(StandardCharsets.UTF_8)) {
-            if (isUnreserved(b)) {
-                builder.append((char) b);
-            }
-            else {
-                // Substitution: A '%' followed by the hexadecimal representation of the ASCII value of the replaced character
-                builder.append('%');
-                builder.append(Integer.toHexString(b).toUpperCase());
-            }
-        }
-        return builder.toString();
-    }
-
     private static boolean isUnreserved(int c) {
         return (isValidCharForKey(c) || c == '~');
     }
 
+    private static boolean shouldEncode(int c) {
+        return !isUnreserved(c);
+    }
+
     private static boolean isAlpha(int c) {
         return (isLowerCase(c) || isUpperCase(c));
     }
@@ -578,43 +560,93 @@ private static String toLowerCase(String s) {
         return new String(chars);
     }
 
-    /**
-     * Optionally decodes a String, if it's encoded. If String is not encoded,
-     * method will return the original input value.
-     *
-     * @param input the value String to decode
-     * @return a decoded String
-     */
-    private String percentDecode(final String input) {
-        final String decoded = uriDecode(input);
-        if (!decoded.equals(input)) {
-            return decoded;
+    private static String percentDecode(final String source) {
+        if (source.isEmpty()) {
+            return source;
         }
-        return input;
-    }
 
-    /**
-     * Decodes a percent-encoded string.
-     *
-     * @param source string to decode, not {@code null}
-     * @return A decoded string
-     * @throws NullPointerException if {@code source} is {@code null}
-     */
-    public static String uriDecode(String source) {
-        int length = source.length();
-        StringBuilder builder = new StringBuilder();
+        byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
+        int percentCharCount = getPercentCharCount(bytes);
+
+        if (percentCharCount == 0) {
+            return source;
+        }
+
+        int length = bytes.length;
+        int capacity = (length + percentCharCount) - (percentCharCount * 3);
+
+        if (capacity <= 0) {
+            throw new ValidationException("Invalid encoding in '" + source + "'");
+        }
+
+        ByteBuffer buffer = ByteBuffer.allocate(capacity);
+
         for (int i = 0; i < length; i++) {
-            if (source.charAt(i) == '%') {
-                String str = source.substring(i + 1, i + 3);
-                char c = (char) Integer.parseInt(str, 16);
-                builder.append(c);
-                i += 2;
+            if (buffer.position() + 1 > capacity) {
+                throw new ValidationException("Invalid encoding in '" + source + "'");
             }
-            else {
-                builder.append(source.charAt(i));
+
+            int b;
+
+            if (bytes[i] == PERCENT_CHAR) {
+                int b1 = Character.digit(bytes[++i], 16);
+                int b2 = Character.digit(bytes[++i], 16);
+                b = (byte) ((b1 << 4) + b2);
+            } else {
+                b = bytes[i];
             }
+
+           buffer.put((byte) b);
         }
-        return builder.toString();
+
+        return new String(buffer.array(), StandardCharsets.UTF_8);
+    }
+
+    @Deprecated
+    public String uriDecode(final String source) {
+        return source != null ? percentDecode(source) : null;
+    }
+
+    private static int getUnsafeCharCount(final byte[] bytes) {
+        return (int)  IntStream.range(0, bytes.length).map(i -> bytes[i]).filter(PackageURL::shouldEncode).count();
+    }
+
+    private static boolean isPercent(int c) {
+        return (c == PERCENT_CHAR);
+    }
+
+    private static int getPercentCharCount(final byte[] bytes) {
+        return (int) IntStream.range(0, bytes.length).map(i -> bytes[i]).filter(PackageURL::isPercent).count();
+    }
+
+    private static String percentEncode(final String source) {
+        if (source.isEmpty()) {
+            return source;
+        }
+
+        byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
+        int unsafeCharCount = getUnsafeCharCount(bytes);
+
+        if (unsafeCharCount == 0) {
+            return source;
+        }
+
+        int length = bytes.length;
+        int capacity = (length - unsafeCharCount) + (3 * unsafeCharCount);
+        ByteBuffer buffer = ByteBuffer.allocate(capacity);
+
+        for (byte b : bytes) {
+            if (shouldEncode(b)) {
+                byte b1 = (byte) Character.toUpperCase(Character.forDigit((b >> 4) & 0xF, 16));
+                byte b2 = (byte) Character.toUpperCase(Character.forDigit(b & 0xF, 16));
+                byte[] encoded = {(byte) PERCENT_CHAR, b1, b2};
+                buffer.put(encoded, 0, encoded.length);
+            } else {
+                buffer.put(b);
+            }
+        }
+
+        return new String(buffer.array(), 0, buffer.position(), StandardCharsets.UTF_8);
     }
 
     /**
@@ -691,9 +723,9 @@ private void parse(final String purl) throws MalformedPackageURLException {
             // The 'remainder' should now consist of an optional namespace and the name
             index = remainder.lastIndexOf('/');
             if (index <= start) {
-                this.name = validateName(percentDecode(remainder.substring(start)));
+                this.name = validateName(uriDecode(remainder.substring(start)));
             } else {
-                this.name = validateName(percentDecode(remainder.substring(index + 1)));
+                this.name = validateName(uriDecode(remainder.substring(index + 1)));
                 remainder = remainder.substring(0, index);
                 this.namespace = validateNamespace(parsePath(remainder.substring(start), false));
             }
@@ -743,7 +775,7 @@ private void verifyTypeConstraints(String type, @Nullable String namespace, @Nul
                                 final String[] entry = value.split("=", 2);
                                 if (entry.length == 2 && !entry[1].isEmpty()) {
                                     String key = toLowerCase(entry[0]);
-                                    if (map.put(key, percentDecode(entry[1])) != null) {
+                                    if (map.put(key, uriDecode(entry[1])) != null) {
                                         throw new ValidationException("Duplicate package qualifier encountered. More then one value was specified for " + key);
                                     }
                                 }
@@ -758,12 +790,12 @@ private void verifyTypeConstraints(String type, @Nullable String namespace, @Nul
     private String[] parsePath(final String path, final boolean isSubpath) {
         return Arrays.stream(path.split("/"))
                 .filter(segment -> !segment.isEmpty() && !(isSubpath && (".".equals(segment) || "..".equals(segment))))
-                .map(this::percentDecode)
+                .map(PackageURL::percentDecode)
                 .toArray(String[]::new);
     }
 
     private String encodePath(final String path) {
-        return Arrays.stream(path.split("/")).map(this::percentEncode).collect(Collectors.joining("/"));
+        return Arrays.stream(path.split("/")).map(PackageURL::percentEncode).collect(Collectors.joining("/"));
     }
 
     /**
@@ -894,5 +926,4 @@ private StandardTypes() {
 
         }
     }
-
 }
diff --git a/src/test/java/com/github/packageurl/PackageURLTest.java b/src/test/java/com/github/packageurl/PackageURLTest.java
@@ -71,6 +71,26 @@ static void resetLocale() {
         Locale.setDefault(defaultLocale);
     }
 
+    @Test
+    void validPercentEncoding() throws MalformedPackageURLException {
+        PackageURL purl = new PackageURL("maven", "com.google.summit", "summit-ast", "2.2.0\n", null, null);
+        assertEquals("pkg:maven/com.google.summit/summit-ast@2.2.0%0A", purl.toString());
+        PackageURL purl2 = new PackageURL("pkg:nuget/%D0%9Cicros%D0%BEft.%D0%95ntit%D1%83Fram%D0%B5work%D0%A1%D0%BEr%D0%B5");
+        assertEquals("Мicrosоft.ЕntitуFramеworkСоrе", purl2.getName());
+        assertEquals("pkg:nuget/%D0%9Cicros%D0%BEft.%D0%95ntit%D1%83Fram%D0%B5work%D0%A1%D0%BEr%D0%B5", purl2.toString());
+    }
+
+    @SuppressWarnings("deprecation")
+    @Test
+    void invalidPercentEncoding() throws MalformedPackageURLException {
+        assertThrows(MalformedPackageURLException.class, () -> new PackageURL("pkg:maven/com.google.summit/summit-ast@2.2.0%"));
+        assertThrows(MalformedPackageURLException.class, () -> new PackageURL("pkg:maven/com.google.summit/summit-ast@2.2.0%0"));
+        PackageURL purl = new PackageURL("pkg:maven/com.google.summit/summit-ast@2.2.0");
+        assertThrows(ValidationException.class, () -> purl.uriDecode("%"));
+        assertThrows(ValidationException.class, () -> purl.uriDecode("%0"));
+        assertThrows(ValidationException.class, () -> purl.uriDecode("aaaa%0%"));
+    }
+
     @Test
     void constructorParsing() throws Exception {
         for (int i = 0; i < json.length(); i++) {
