Graph::put does not allow double slashes in request URIs

namedgraph · namedgraph · commit 8714801fbac8 · 2025-03-31T17:06:18.000+02:00
Added HTTP test for that as well
diff --git a/http-tests/document-hierarchy/PUT-double-slash-uri-400.sh b/http-tests/document-hierarchy/PUT-double-slash-uri-400.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the writers group
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/writers/"
+
+# creating new document fails because URIs with double slashes are not allowed
+
+item="${END_USER_BASE_URL}new-item//"
+
+(
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -X PUT \
+  -H "Accept: application/n-triples" \
+  -H "Content-Type: application/n-triples" \
+  --data-binary @- \
+  "$item" <<EOF
+<http://example.com/named-subject-put> <http://example.com/default-predicate> "named object PUT" .
+<http://example.com/named-subject-put> <http://example.com/another-predicate> "another named object PUT" .
+EOF
+) \
+| grep -q "$STATUS_BAD_REQUEST"
diff --git a/src/main/java/com/atomgraph/linkeddatahub/resource/Graph.java b/src/main/java/com/atomgraph/linkeddatahub/resource/Graph.java
@@ -218,12 +218,17 @@ public Response put(Model model, @QueryParam("default") @DefaultValue("false") B
         {
             String uriWithSlash = getURI().toString() + "/";
 
-            if (log.isDebugEnabled()) log.debug("Redirecting document URI <> to <{}> in order to enforce trailing a slash", getURI(), uriWithSlash);
+            if (log.isDebugEnabled()) log.debug("Redirecting document URI <{}> to <{}> in order to enforce trailing a slash", getURI(), uriWithSlash);
 
             return Response.status(PERMANENT_REDIRECT).
                 location(URI.create(uriWithSlash)).
                 build();
         }
+        if (getURI().getPath().contains("//"))
+        {
+            if (log.isDebugEnabled()) log.debug("Rejected document URI <{}> - double slashes are not allowed", getURI());
+            throw new BadRequestException("Double slashes not allowed in document URIs");
+        }
         
         new Skolemizer(getURI().toString()).apply(model);
         Model existingModel = null;
