Fix url encoding for AuthToken generation

Author: nitzanj

cloudinary-core/src/main/java/com/cloudinary/AuthToken.java

@@ -7,6 +7,7 @@
 import javax.crypto.spec.SecretKeySpec;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
+import java.nio.charset.Charset;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.util.*;
@@ -31,6 +32,7 @@ public class AuthToken {
     private String acl;
     private long duration;
     private boolean isNullToken = false;
+    private static final Pattern UNSAFE_URL_CHARS_PATTERN = Pattern.compile("[ \"#%&'/:;<=>?@\\[\\\\\\]^`{|}~]");
 
     public AuthToken() {
     }
@@ -46,10 +48,10 @@ public AuthToken(String key) {
      */
     public AuthToken(Map options) {
         if (options != null) {
-            this.tokenName = ObjectUtils.asString( options.get("tokenName"), this.tokenName);
+            this.tokenName = ObjectUtils.asString(options.get("tokenName"), this.tokenName);
             this.key = (String) options.get("key");
             this.startTime = ObjectUtils.asLong(options.get("startTime"), 0L);
-            this.expiration = ObjectUtils.asLong(options.get("expiration"),0L);
+            this.expiration = ObjectUtils.asLong(options.get("expiration"), 0L);
             this.ip = (String) options.get("ip");
             this.acl = (String) options.get("acl");
             this.duration = ObjectUtils.asLong(options.get("duration"), 0L);
@@ -59,6 +61,7 @@ public AuthToken(Map options) {
 
     /**
      * Create a new AuthToken configuration overriding the default token name.
+     *
      * @param tokenName the name of the token. must be supported by the server.
      * @return this
      */
@@ -91,6 +94,7 @@ public AuthToken expiration(long expiration) {
 
     /**
      * Set the ip of the client
+     *
      * @param ip
      * @return this
      */
@@ -101,6 +105,7 @@ public AuthToken ip(String ip) {
 
     /**
      * Define an ACL for a cookie token
+     *
      * @param acl
      * @return this
      */
@@ -132,6 +137,7 @@ public String generate() {
 
     /**
      * Generate a URL token for the given URL.
+     *
      * @param url the URL to be authorized
      * @return a URL token
      */
@@ -168,32 +174,18 @@ public String generate(String url) {
 
     /**
      * Escape url using lowercase hex code
+     *
      * @param url a url string
      * @return escaped url
      */
     private String escapeToLower(String url) {
-        String escaped;
-        String encodedUrl = null;
-        try {
-            encodedUrl = URLEncoder.encode(url, "UTF-8");
-        } catch (UnsupportedEncodingException e) {
-            throw new RuntimeException("Cannot escape string.", e);
-        }
-        StringBuilder sb= new StringBuilder(encodedUrl);
-        String regex= "%..";
-        Pattern p = Pattern.compile(regex); // Create the pattern.
-        Matcher matcher = p.matcher(sb); // Create the matcher.
-        while (matcher.find()) {
-            String buf= sb.substring(matcher.start(), matcher.end()).toLowerCase();
-            sb.replace(matcher.start(), matcher.end(), buf);
-        }
-        escaped = sb.toString();
-        return escaped;
+        String encodedUrl = StringUtils.urlEncode(url, UNSAFE_URL_CHARS_PATTERN, Charset.forName("UTF-8"));
+        return encodedUrl;
     }
 
-
     /**
      * Create a copy of this AuthToken
+     *
      * @return a new AuthToken object
      */
     public AuthToken copy() {
@@ -209,11 +201,12 @@ public AuthToken copy() {
 
     /**
      * Merge this token with another, creating a new token. Other's members who are not <code>null</code> or <code>0</code> will override this object's members.
+     *
      * @param other the token to merge from
      * @return a new token
      */
     public AuthToken merge(AuthToken other) {
-        if(other.equals(NULL_AUTH_TOKEN)) {
+        if (other.equals(NULL_AUTH_TOKEN)) {
             // NULL_AUTH_TOKEN can't merge
             return other;
         }
@@ -250,24 +243,24 @@ private AuthToken setNull() {
 
     @Override
     public boolean equals(Object o) {
-        if(o instanceof AuthToken) {
+        if (o instanceof AuthToken) {
             AuthToken other = (AuthToken) o;
-            return  (isNullToken && other.isNullToken)  ||
+            return (isNullToken && other.isNullToken) ||
                     (key == null ? other.key == null : key.equals(other.key)) &&
-                    tokenName.equals(other.tokenName) &&
-                    startTime == other.startTime &&
-                    expiration == other.expiration &&
-                    duration == other.duration &&
-                    (ip == null ? other.ip == null : ip.equals(other.ip)) &&
-                    (acl == null ? other.acl == null : acl.equals(other.acl));
+                            tokenName.equals(other.tokenName) &&
+                            startTime == other.startTime &&
+                            expiration == other.expiration &&
+                            duration == other.duration &&
+                            (ip == null ? other.ip == null : ip.equals(other.ip)) &&
+                            (acl == null ? other.acl == null : acl.equals(other.acl));
         } else {
             return false;
         }
     }
 
     @Override
     public int hashCode() {
-        if(isNullToken) {
+        if (isNullToken) {
             return 0;
         } else {
             return Arrays.asList(tokenName, startTime, expiration, duration, ip, acl).hashCode();

cloudinary-core/src/main/java/com/cloudinary/utils/StringUtils.java

@@ -3,15 +3,19 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.charset.Charset;
 import java.util.Collection;
 import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 public class StringUtils {
     public static final String EMPTY = "";
 
     /**
      * Join a list of Strings
-     * @param list strings to join
+     *
+     * @param list      strings to join
      * @param separator the separator to insert between the strings
      * @return a string made of the strings in list separated by separator
      */
@@ -25,7 +29,8 @@ public static String join(List<String> list, String separator) {
 
     /**
      * Join a array of Strings
-     * @param array strings to join
+     *
+     * @param array     strings to join
      * @param separator the separator to insert between the strings
      * @return a string made of the strings in array separated by separator
      */
@@ -38,8 +43,9 @@ public static String join(Object[] array, String separator) {
 
     /**
      * Join a collection of Strings
+     *
      * @param collection strings to join
-     * @param separator the separator to insert between the strings
+     * @param separator  the separator to insert between the strings
      * @return a string made of the strings in collection separated by separator
      */
     public static String join(Collection<String> collection, String separator) {
@@ -51,10 +57,11 @@ public static String join(Collection<String> collection, String separator) {
 
     /**
      * Join a array of Strings from startIndex to endIndex
-     * @param array strings to join
-     * @param separator the separator to insert between the strings
+     *
+     * @param array      strings to join
+     * @param separator  the separator to insert between the strings
      * @param startIndex the string to start from
-     * @param endIndex the last string to join
+     * @param endIndex   the last string to join
      * @return a string made of the strings in array separated by separator
      */
     public static String join(final Object[] array, String separator, final int startIndex, final int endIndex) {
@@ -87,6 +94,7 @@ public static String join(final Object[] array, String separator, final int star
 
     /**
      * Convert an array of bytes to a string of hex values
+     *
      * @param bytes bytes to convert
      * @return a string of hex values.
      */
@@ -102,6 +110,7 @@ public static String encodeHexString(byte[] bytes) {
 
     /**
      * Convert a string of hex values to an array of bytes
+     *
      * @param s a string of two digit Hex numbers. The length of string to parse must be even.
      * @return bytes representation of the string
      */
@@ -125,14 +134,15 @@ public static byte[] hexStringToByteArray(String s) {
      *
      * @param input The String to escape
      * @return The escaped String
-     * @see HtmlEscape#escapeTextArea(String) 
+     * @see HtmlEscape#escapeTextArea(String)
      */
     public static String escapeHtml(String input) {
         return HtmlEscape.escapeTextArea(input);
     }
 
     /**
      * Verify that the input has non whitespace characters in it
+     *
      * @param input a String-like object
      * @return true if input has non whitespace characters in it
      */
@@ -143,6 +153,7 @@ public static boolean isNotBlank(Object input) {
 
     /**
      * Verify that the input has non whitespace characters in it
+     *
      * @param input a String
      * @return true if input has non whitespace characters in it
      */
@@ -152,6 +163,7 @@ public static boolean isNotBlank(String input) {
 
     /**
      * Verify that the input has no characters
+     *
      * @param input a string
      * @return true if input is null or has no characters
      */
@@ -161,7 +173,8 @@ public static boolean isEmpty(String input) {
 
     /**
      * Verify that the input is an empty string or contains only whitespace characters.<br>
-     *     see {@link Character#isWhitespace(char)}
+     * see {@link Character#isWhitespace(char)}
+     *
      * @param input a string
      * @return true if input is an empty string or contains only whitespace characters
      */
@@ -180,6 +193,7 @@ public static boolean isBlank(String input) {
 
     /**
      * Read the entire input stream in 1KB chunks
+     *
      * @param in input stream to read from
      * @return a String generated from the input stream
      * @throws IOException thrown by the input stream
@@ -198,4 +212,34 @@ public static boolean isRemoteUrl(String file) {
         return file.matches("ftp:.*|https?:.*|s3:.*|data:[^;]*;base64,([a-zA-Z0-9/+\n=]+)");
     }
 
+    /**
+     * Replaces the unsafe characters in url with url-encoded values.
+     * This is based on {@link java.net.URLEncoder#encode(String, String)}
+     * @param url The url to encode
+     * @param unsafe Regex pattern of unsafe caracters
+     * @param charset
+     * @return An encoded url string
+     */
+    public static String urlEncode(String url, Pattern unsafe, Charset charset) {
+        StringBuffer sb = new StringBuffer(url.length());
+        Matcher matcher = unsafe.matcher(url);
+        while (matcher.find()) {
+            String str = matcher.group(0);
+            byte[] bytes = str.getBytes(charset);
+            StringBuilder escaped = new StringBuilder(str.length() * 3);
+
+            for (byte aByte : bytes) {
+                escaped.append('%');
+                char ch = Character.forDigit((aByte >> 4) & 0xF, 16);
+                escaped.append(ch);
+                ch = Character.forDigit(aByte & 0xF, 16);
+                escaped.append(ch);
+            }
+
+            matcher.appendReplacement(sb, Matcher.quoteReplacement(escaped.toString().toLowerCase()));
+        }
+
+        matcher.appendTail(sb);
+        return sb.toString();
+    }
 }

cloudinary-core/src/test/java/com/cloudinary/AuthTokenTest.java

@@ -83,7 +83,7 @@ public void testAuthenticatedUrl() {
 
         message = "explicit authToken should override global setting";
         url = cloudinary.url().signed(true).authToken(new AuthToken(ALT_KEY).startTime(222222222).duration(100)).resourceType("image").type("authenticated").transformation(new Transformation().crop("scale").width(300)).generate("sample.jpg");
-        assertEquals(message,"http://test123-res.cloudinary.com/image/authenticated/c_scale,w_300/sample.jpg?__cld_token__=st=222222222~exp=222222322~hmac=7d276841d70c4ecbd0708275cd6a82e1f08e47838fbb0bceb2538e06ddfa3029", url);
+        assertEquals(message,"http://test123-res.cloudinary.com/image/authenticated/c_scale,w_300/sample.jpg?__cld_token__=st=222222222~exp=222222322~hmac=55cfe516530461213fe3b3606014533b1eca8ff60aeab79d1bb84c9322eebc1f", url);
 
         message = "should compute expiration as start time + duration";
         url = cloudinary.url().signed(true).authToken(new AuthToken().startTime(11111111).duration(300))