Ignore casing in AvatarContributor#extractDomainFromUrl (#23865)

strangelookingnerd · web-flow · commit d5ecddb4d4e4 · 2025-12-01T16:50:09.000-07:00
* Ignore casing in AvatarContributor#extractDomainFromUrl

* Extend test to check for correct handling of duplicates
diff --git a/core/src/main/java/jenkins/security/csp/AvatarContributor.java b/core/src/main/java/jenkins/security/csp/AvatarContributor.java
@@ -29,6 +29,7 @@
 import hudson.ExtensionList;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.util.Locale;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.logging.Level;
@@ -106,9 +107,10 @@ public static String extractDomainFromUrl(@CheckForNull String url) {
                 LOGGER.log(Level.FINER, "Ignoring URI without host: " + url);
                 return null;
             }
-            String domain = host;
-            final String scheme = uri.getScheme();
+            String domain = host.toLowerCase(Locale.ROOT);
+            String scheme = uri.getScheme();
             if (scheme != null) {
+                scheme = scheme.toLowerCase(Locale.ROOT);
                 if (scheme.equals("http") || scheme.equals("https")) {
                     domain = scheme + "://" + domain;
                 } else {
diff --git a/core/src/test/java/jenkins/security/csp/AvatarContributorTest.java b/core/src/test/java/jenkins/security/csp/AvatarContributorTest.java
@@ -80,4 +80,9 @@ void testExtractDomainFromUrl_Ipv4Address() {
     void testExtractDomainFromUrl_Ipv4WithPort() {
         assertThat(extractDomainFromUrl("https://192.168.1.1:8080/avatar.png"), is("https://192.168.1.1:8080"));
     }
+
+    @Test
+    void testExtractDomainFromUrl_CaseInsensitivity() {
+        assertThat(extractDomainFromUrl("hTTps://EXAMPLE.com/path/to/avatar.png"), is("https://example.com"));
+    }
 }
diff --git a/test/src/test/java/jenkins/security/csp/AvatarContributorTest.java b/test/src/test/java/jenkins/security/csp/AvatarContributorTest.java
@@ -139,4 +139,15 @@ void testAllow_UnsupportedSchemeDoesNotAddToCsp(JenkinsRule j) {
         assertThat(loggerRule, recorded(Level.FINER, is("Ignoring URI with unsupported scheme: ftp://files.example.com/avatar.png")));
         assertThat(loggerRule, recorded(Level.FINER, is("Ignoring URI without host: data:image/png;base64,iVBORw0KG...")));
     }
+
+    @Test
+    void testAllow_CaseInsensitivity(JenkinsRule j) {
+        LoggerRule loggerRule = new LoggerRule().record(AvatarContributor.class, Level.FINEST).capture(100);
+        AvatarContributor.allow("hTTps://AVATARS.example.com/user/avatar.png");
+        AvatarContributor.allow("HttPS://avatars.EXAMPLE.com/user/avatar.png");
+        String csp = new CspBuilder().withDefaultContributions().build();
+        assertThat(csp, is("base-uri 'none'; default-src 'self'; form-action 'self'; frame-ancestors 'self'; img-src 'self' data: https://avatars.example.com; script-src 'report-sample' 'self'; style-src 'report-sample' 'self' 'unsafe-inline';"));
+        assertThat(loggerRule, recorded(Level.CONFIG, is("Adding domain 'https://avatars.example.com' from avatar URL: hTTps://AVATARS.example.com/user/avatar.png")));
+        assertThat(loggerRule, recorded(Level.FINEST, is("Skipped adding duplicate domain 'https://avatars.example.com' from avatar URL: HttPS://avatars.EXAMPLE.com/user/avatar.png")));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -80,4 +80,9 @@ void testExtractDomainFromUrl_Ipv4Address() {`
`80`	`80`	`void testExtractDomainFromUrl_Ipv4WithPort() {`
`81`	`81`	`assertThat(extractDomainFromUrl("https://192.168.1.1:8080/avatar.png"), is("https://192.168.1.1:8080"));`
`82`	`82`	`}`
	`83`	`+`
	`84`	`+ @Test`
	`85`	`+ void testExtractDomainFromUrl_CaseInsensitivity() {`
	`86`	`+ assertThat(extractDomainFromUrl("hTTps://EXAMPLE.com/path/to/avatar.png"), is("https://example.com"));`
	`87`	`+ }`
`83`	`88`	`}`