Add Improvement

[e19166]

Add improvement

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7fe1f4e1-1ea7-4a5c-8dd0-0a1e11e15a54

📥 Commits

Reviewing files that changed from the base of the PR and between 8227e58 and 84fcc7b.

📒 Files selected for processing (2)

• all-in-one-apim/modules/distribution/product/src/main/extensions/basicauth.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp

🚧 Files skipped from review as they are similar to previous changes (2)

• all-in-one-apim/modules/distribution/product/src/main/extensions/basicauth.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp

---

📝 Walkthrough

Walkthrough

Two product modules update their getRegistrationUrl helper function to construct full registration URLs from endpoint, parameters, and callback components, then apply JavaScript-attribute encoding to the entire string instead of only HTML-attribute escaping the callback portion.

Changes

Registration URL helper encoding

Layer / File(s)	Summary
URL encoding method update all-in-one-apim/modules/distribution/product/src/main/extensions/basicauth.jsp, api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp	Both modules update getRegistrationUrl to build rawUrl from endpoint, parameters, and callback, then return Encode.forJavaScriptAttribute(rawUrl) instead of embedding Encode.forHtmlAttribute() for the callback.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Add Improvement' is vague and non-descriptive, failing to convey the actual change of encoding the registration URL for JavaScript safety.	Use a more specific title that describes the actual change, such as 'Encode registration URL for JavaScript context in basicauth.jsp'.
Description check	❓ Inconclusive	The description 'Add improvement' is extremely vague and generic, providing no meaningful information about what was changed or why.	Provide a detailed description explaining the security improvement: encoding the full registration URL for safe JavaScript embedding.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp (1)

542-542: ⚡ Quick win

Redundant StringEscapeUtils.escapeHtml4() around a JS-encoded value

The return value of getRegistrationUrl is now Encode.forJavaScript(rawUrl). Encode.forJavaScript is already "safe for use in HTML script attributes (such as onclick)" and "the caller MUST provide the surrounding quotation characters." Wrapping the result in StringEscapeUtils.escapeHtml4() adds a redundant HTML-encoding pass. It doesn't corrupt the output in practice (since forJavaScript already encodes <, >, & as \uXXXX), but it creates a misleading layered-encoding pattern that suggests the JS-encoded value is not already safe for the HTML onclick attribute context.

Per the OWASP example: <button onclick="alert('<%=Encode.forJavaScript(data)%>');"> — no additional HTML escaping is needed.

🔧 Proposed fix

-onclick="window.location.href='<%=StringEscapeUtils.escapeHtml4(getRegistrationUrl(accountRegistrationEndpointURL, urlEncodedURL, urlParameters))%>';"
+onclick="window.location.href='<%=getRegistrationUrl(accountRegistrationEndpointURL, urlEncodedURL, urlParameters)%>';"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp`
at line 542, The onclick attribute is double-encoding a JS-safe value: remove
the redundant StringEscapeUtils.escapeHtml4() wrapper around the
getRegistrationUrl(...) call (which now returns Encode.forJavaScript(rawUrl))
and output the getRegistrationUrl result directly inside the existing
surrounding quotes so the JS-encoded string is used as-is; locate the call to
StringEscapeUtils.escapeHtml4(getRegistrationUrl(accountRegistrationEndpointURL,
urlEncodedURL, urlParameters)) in the onclick attribute and replace it with the
direct getRegistrationUrl(...) result while keeping the surrounding onclick="...
'...' ..." quotation characters intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp`:
- Around line 588-593: The code incorrectly applies Encode.forHtmlAttribute to
urlEncodedURL inside getRegistrationUrl; remove that intermediate HTML encoding
so urlEncodedURL (which is already percent-encoded via URLEncoder.encode(...))
is concatenated directly into rawUrl, and keep a single
Encode.forJavaScript(rawUrl) at the end; specifically, update getRegistrationUrl
to stop calling Encode.forHtmlAttribute(urlEncodedURL) and use urlEncodedURL
as-is when building rawUrl before returning Encode.forJavaScript(rawUrl).
- Around line 588-593: The getRegistrationUrl method currently returns
Encode.forJavaScript(rawUrl) which is unsafe for use inside an onclick
attribute; change the encoding to Encode.forJavaScriptAttribute(rawUrl) so the
value is safely encoded for JavaScript attribute context (update the return in
getRegistrationUrl and remove any extra HTML-escaping wrappers at call sites
such as in basicauth.jsp that were compensating incorrectly); ensure the method
signature getRegistrationUrl(...) still builds rawUrl the same way and only the
final Encode.* call is replaced with Encode.forJavaScriptAttribute.

---

Nitpick comments:
In
`@api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp`:
- Line 542: The onclick attribute is double-encoding a JS-safe value: remove the
redundant StringEscapeUtils.escapeHtml4() wrapper around the
getRegistrationUrl(...) call (which now returns Encode.forJavaScript(rawUrl))
and output the getRegistrationUrl result directly inside the existing
surrounding quotes so the JS-encoded string is used as-is; locate the call to
StringEscapeUtils.escapeHtml4(getRegistrationUrl(accountRegistrationEndpointURL,
urlEncodedURL, urlParameters)) in the onclick attribute and replace it with the
direct getRegistrationUrl(...) result while keeping the surrounding onclick="...
'...' ..." quotation characters intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 80c0034f-5b40-4153-bfd7-727aaccc58a8

📥 Commits

Reviewing files that changed from the base of the PR and between e6ccd20 and 4648502.

📒 Files selected for processing (2)

• all-in-one-apim/modules/distribution/product/src/main/extensions/basicauth.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

all-in-one-apim/modules/distribution/product/src/main/extensions/login.jsp (1)

547-554: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

domain is appended to the URL without encodeURIComponent().

The raw text-field value is concatenated directly into the redirect URL. A user who types e.g. corp.example.com&sessionDataKey=attacker_key will inject an extra query parameter, potentially overriding sessionDataKey or other sensitive params. Since this PR is already hardening the call-site arguments on this exact code path, encoding domain here is the natural completion of that work.

🛡️ Proposed fix

     if (domain != "") {
         document.location = "<%=commonauthURL%>?idp=" + key + "&authenticator=" + value +
-                "&sessionDataKey=<%=Encode.forUriComponent(request.getParameter("sessionDataKey"))%>&domain=" +
-                domain;
+                "&sessionDataKey=<%=Encode.forUriComponent(request.getParameter("sessionDataKey"))%>&domain=" +
+                encodeURIComponent(domain);
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@all-in-one-apim/modules/distribution/product/src/main/extensions/login.jsp`
around lines 547 - 554, The redirect builds document.location in login.jsp by
concatenating domain directly into the query string (when setting
document.location = "<%=commonauthURL%>?...&domain=" + domain); fix it by
applying JavaScript encoding to the domain value (use
encodeURIComponent(domain)) before concatenation so the domain cannot inject
extra query parameters; update both branches that set document.location (the
branch that appends &domain= and the else branch if relevant) so all
user-controlled pieces are encoded similarly, keeping commonauthURL and existing
Encode.forUriComponent usage unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@all-in-one-apim/modules/distribution/product/src/main/extensions/login.jsp`:
- Around line 547-554: The redirect builds document.location in login.jsp by
concatenating domain directly into the query string (when setting
document.location = "<%=commonauthURL%>?...&domain=" + domain); fix it by
applying JavaScript encoding to the domain value (use
encodeURIComponent(domain)) before concatenation so the domain cannot inject
extra query parameters; update both branches that set document.location (the
branch that appends &domain= and the else branch if relevant) so all
user-controlled pieces are encoded similarly, keeping commonauthURL and existing
Encode.forUriComponent usage unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8367ad1a-b039-4de6-b840-43800e854b7d

📥 Commits

Reviewing files that changed from the base of the PR and between 16be4a3 and c6e4bd2.

📒 Files selected for processing (1)

• all-in-one-apim/modules/distribution/product/src/main/extensions/login.jsp

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 19.05%. Comparing base (c27808f) to head (7237e0c).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #14187      +/-   ##
============================================
+ Coverage     11.25%   19.05%   +7.80%     
- Complexity      827     1419     +592     
============================================
  Files           361      361              
  Lines         17719    17719              
  Branches       1897     1897              
============================================
+ Hits           1994     3377    +1383     
+ Misses        15691    14301    -1390     
- Partials         34       41       +7     

Flag	Coverage Δ
integration_tests	19.05% <ø> (+7.80%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.