public void doFilter()

in aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/internal/servlet/filters/UrlPathValidator.java [74:103]

• 22 lines of code
• 5 McCabe index (conditional complexity)

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        // the getPathInfo method of the AwsProxyHttpServletRequest returns the request path with the correct base path stripped
        String path = ((HttpServletRequest)servletRequest).getPathInfo();
        if (path == null) {
            setErrorResponse(servletResponse);
            return;
        }

        // switching to this mechanism to avoid ReDOS attacks on the path pattern regex
        try {
            new URI(path);
        } catch (URISyntaxException e) {
            log.error("Invalid uri path in doFilter", e);
            setErrorResponse(servletResponse);
            return;
        }

        // Logic taken from the Apache UrlValidator. I opted not to include Apache lib as a dependency to save space
        // in the final Lambda function package
        // https://github.com/apache/commons-validator/blob/trunk/src/main/java/org/apache/commons/validator/UrlValidator.java
        int slashCount = countStrings("/", path);
        int dot2Count = countStrings("..", path);
        int slash2Count = countStrings("//", path);
        if (dot2Count > 0 && (slashCount - slash2Count - 1) <= dot2Count){
            setErrorResponse(servletResponse);
            return;
        }

        filterChain.doFilter(servletRequest, servletResponse);
    }