From 60ea5ad6d177de126fdd6426cdfacd9542836c7d Mon Sep 17 00:00:00 2001
From: Daniel Beck <1831569+daniel-beck@users.noreply.github.com>
Date: Fri, 8 Mar 2024 13:39:34 +0100
Subject: [PATCH] Further limit allowed characters in file path (#686)

* Further limit allowed characters in file path

* Apply suggestions from code review

Co-authored-by: Zbynek Konecny <zbynek1729@gmail.com>

---------

Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com>
Co-authored-by: Zbynek Konecny <zbynek1729@gmail.com>
---
 .../jenkins/update_center/ArtifactoryRepositoryImpl.java | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/main/java/io/jenkins/update_center/ArtifactoryRepositoryImpl.java b/src/main/java/io/jenkins/update_center/ArtifactoryRepositoryImpl.java
index 60e3f1cab..e8bf057ab 100644
--- a/src/main/java/io/jenkins/update_center/ArtifactoryRepositoryImpl.java
+++ b/src/main/java/io/jenkins/update_center/ArtifactoryRepositoryImpl.java
@@ -79,7 +79,12 @@ protected Set<ArtifactCoordinates> listAllJenkinsWars(String groupId) throws IOE
     }
 
     private static boolean containsIllegalChars(String test) {
-        return !test.chars().allMatch(c -> c >= 0x2B && c < 0x7B);
+        return !test.chars().allMatch(c ->
+                c >= '0' && c <= '9'
+                || c >= 'A' && c <= 'Z'
+                || c >= 'a' && c <= 'z'
+                || c == '+' || c == '-' || c == '.' || c == '/' || c == '_'
+        );
     }
 
     private static ArtifactCoordinates toGav(JsonFile f) {
@@ -87,7 +92,7 @@ private static ArtifactCoordinates toGav(JsonFile f) {
         String path = f.path;
 
         if (containsIllegalChars(fileName) || containsIllegalChars(path)) {
-            LOGGER.log(Level.INFO, "Not only printable ascii: " + f.path + " / " + f.name);
+            LOGGER.log(Level.INFO, "Characters outside allowed set: " + f.path + " / " + f.name);
             return null;
         }