Add method to perform URL decoding

Author: drighetto

src/main/java/eu/righettod/SecurityUtils.java

@@ -48,6 +48,7 @@
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
+import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.security.MessageDigest;
@@ -1076,11 +1077,7 @@ public static boolean isPSD2StetSafeCertificateURL(String certificateUrl) {
                         //- Trigger the malicious action that the attacker want but with a HTTP HEAD without any redirect and parameters.
                         HttpResponse<String> response;
                         try (HttpClient client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).build()) {
-                            HttpRequest request = HttpRequest.newBuilder()
-                                    .uri(uri)
-                                    .timeout(Duration.ofSeconds(connectionTimeoutInSeconds))
-                                    .method("HEAD", HttpRequest.BodyPublishers.noBody())
-                                    .header("User-Agent", userAgent)//To provide an hint to the target about the initiator of the request
+                            HttpRequest request = HttpRequest.newBuilder().uri(uri).timeout(Duration.ofSeconds(connectionTimeoutInSeconds)).method("HEAD", HttpRequest.BodyPublishers.noBody()).header("User-Agent", userAgent)//To provide an hint to the target about the initiator of the request
                                     .header("Cache-Control", "no-store, max-age=0")//To prevent caching issues or abuses
                                     .build();
                             response = client.send(request, HttpResponse.BodyHandlers.ofString());
@@ -1099,5 +1096,39 @@ public static boolean isPSD2StetSafeCertificateURL(String certificateUrl) {
         return isValid;
     }
 
-
+    /**
+     * Perform sequential URL decoding operations against a URL encoded data until the data is not URL encoded anymore or if the specified threshold is reached.
+     *
+     * @param encodedData            URL encoded data.
+     * @param decodingRoundThreshold Threshold above which decoding will fail.
+     * @return The decoded data.
+     * @throws SecurityException If the threshold is reached.
+     * @see "https://en.wikipedia.org/wiki/Percent-encoding"
+     * @see "https://owasp.org/www-community/Double_Encoding"
+     * @see "https://portswigger.net/web-security/essential-skills/obfuscating-attacks-using-encodings"
+     * @see "https://capec.mitre.org/data/definitions/120.html"
+     */
+    public static String applyURLDecoding(String encodedData, int decodingRoundThreshold) throws SecurityException {
+        if (decodingRoundThreshold < 1) {
+            throw new IllegalArgumentException("Threshold must be a positive number !");
+        }
+        if (encodedData == null) {
+            throw new IllegalArgumentException("Data provided must not be null !");
+        }
+        Charset charset = StandardCharsets.UTF_8;
+        int currentDecodingRound = 0;
+        boolean isFinished = false;
+        String currentRoundData = encodedData;
+        String previousRoundData = encodedData;
+        while (!isFinished) {
+            if (currentDecodingRound > decodingRoundThreshold) {
+                throw new SecurityException(String.format("Decoding round threshold of %s reached!", decodingRoundThreshold));
+            }
+            currentRoundData = URLDecoder.decode(currentRoundData, charset);
+            isFinished = currentRoundData.equals(previousRoundData);
+            previousRoundData = currentRoundData;
+            currentDecodingRound++;
+        }
+        return currentRoundData;
+    }
 }

src/test/java/eu/righettod/TestSecurityUtils.java

@@ -505,5 +505,29 @@ public void isPSD2StetSafeCertificateURL() {
         String validUrl = "https://raw.githubusercontent.com/righettod/code-snippets-security-utils/main/src/test/resources/myQsealCertificate_873dddcc49456290e2315cf3335b650715751fecdebf517e73b8642696ecc406";
         assertTrue(SecurityUtils.isPSD2StetSafeCertificateURL(validUrl), String.format(templateMsgIPFalsePositive, validUrl));
     }
+
+    @Test
+    public void applyURLDecoding() {
+        final String refDecodedData = "Hello World!!!";
+        //Key is the decoding threshold and value is the URL encoded value (threshold times)
+        final Map<Integer, String> testData = new HashMap<>();
+        testData.put(1, "Hello%20World%21%21%21");
+        testData.put(2, "Hello%2520World%2521%2521%2521");
+        testData.put(3, "Hello%252520World%252521%252521%252521");
+        testData.put(4, "Hello%25252520World%25252521%25252521%25252521");
+        testData.put(5, "Hello%2525252520World%2525252521%2525252521%2525252521");
+        testData.put(6, "Hello%252525252520World%252525252521%252525252521%252525252521");
+        //Test valid cases
+        testData.forEach((threshold, encodedData) -> {
+            assertEquals(refDecodedData, SecurityUtils.applyURLDecoding(encodedData, threshold));
+        });
+        //Test invalid cases
+        SecurityException thrown = assertThrows(
+                SecurityException.class,
+                () -> SecurityUtils.applyURLDecoding(testData.get(6), 3),
+                "SecurityException expected!"
+        );
+        assertTrue(thrown.getMessage().equalsIgnoreCase("Decoding round threshold of 3 reached!"));
+    }
 }