From ff96849132fc97dc4fc5154dd5060e761f6b2af0 Mon Sep 17 00:00:00 2001
From: Daniel Kec <daniel.kec@oracle.com>
Date: Wed, 11 Oct 2023 16:47:45 +0200
Subject: [PATCH] 7701 Empty path

---
 .../java/io/helidon/http/DirectHandler.java   |  2 +-
 .../src/test/resources/logging.properties     | 24 ++++++
 .../junit5/HelidonServerJunitExtension.java   |  6 +-
 .../io/helidon/webserver/tests/PathTest.java  | 80 +++++++++++++++++++
 .../webserver/http1/Http1Prologue.java        |  3 +
 5 files changed, 111 insertions(+), 4 deletions(-)
 create mode 100644 microprofile/server/src/test/resources/logging.properties
 create mode 100644 webserver/tests/webserver/src/test/java/io/helidon/webserver/tests/PathTest.java

diff --git a/http/http/src/main/java/io/helidon/http/DirectHandler.java b/http/http/src/main/java/io/helidon/http/DirectHandler.java
index a7a38e6506f..5ad6aaba1ef 100644
--- a/http/http/src/main/java/io/helidon/http/DirectHandler.java
+++ b/http/http/src/main/java/io/helidon/http/DirectHandler.java
@@ -89,7 +89,7 @@ default TransportResponse handle(TransportRequest request,
                 return handle(request, eventType, defaultStatus, responseHeaders, thrown.getMessage());
             } else {
                 if (logger != null) {
-                    logger.log(Level.ERROR, thrown);
+                    logger.log(Level.DEBUG, thrown);
                 }
                 return handle(request, eventType, defaultStatus, responseHeaders,
                         "Bad request, see server log for more information");
diff --git a/microprofile/server/src/test/resources/logging.properties b/microprofile/server/src/test/resources/logging.properties
new file mode 100644
index 00000000000..36985b88de5
--- /dev/null
+++ b/microprofile/server/src/test/resources/logging.properties
@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2023 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+handlers = java.util.logging.ConsoleHandler
+
+java.util.logging.ConsoleHandler.level = FINEST
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+java.util.logging.SimpleFormatter.format = [%1$tc] %4$s: %2$s - %5$s %6$s%n
+
+.level = INFO
+io.helidon.config.level = FINEST
diff --git a/webserver/testing/junit5/junit5/src/main/java/io/helidon/webserver/testing/junit5/HelidonServerJunitExtension.java b/webserver/testing/junit5/junit5/src/main/java/io/helidon/webserver/testing/junit5/HelidonServerJunitExtension.java
index 9d3062eaf72..77d927ff185 100644
--- a/webserver/testing/junit5/junit5/src/main/java/io/helidon/webserver/testing/junit5/HelidonServerJunitExtension.java
+++ b/webserver/testing/junit5/junit5/src/main/java/io/helidon/webserver/testing/junit5/HelidonServerJunitExtension.java
@@ -89,13 +89,13 @@ public void beforeAll(ExtensionContext context) {
         extensions.forEach(it -> it.beforeAll(context));
         extensions.forEach(it -> it.updateServerBuilder(builder));
 
-        setupServer(builder);
-        addRouting(builder);
-
         // port will be random
         builder.port(0)
                 .shutdownHook(false);
 
+        setupServer(builder);
+        addRouting(builder);
+
         server = builder.build().start();
         if (server.hasTls()) {
             uris.put(DEFAULT_SOCKET_NAME, URI.create("https://localhost:" + server.port() + "/"));
diff --git a/webserver/tests/webserver/src/test/java/io/helidon/webserver/tests/PathTest.java b/webserver/tests/webserver/src/test/java/io/helidon/webserver/tests/PathTest.java
new file mode 100644
index 00000000000..8e4d3938097
--- /dev/null
+++ b/webserver/tests/webserver/src/test/java/io/helidon/webserver/tests/PathTest.java
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2023 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.webserver.tests;
+
+import java.io.IOException;
+import java.net.URI;
+
+import io.helidon.common.testing.http.junit5.SocketHttpClient;
+import io.helidon.webserver.testing.junit5.ServerTest;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.startsWith;
+
+@ServerTest
+class PathTest {
+
+    private final SocketHttpClient client;
+    private final URI uri;
+
+    public PathTest(SocketHttpClient client, URI uri) {
+        this.client = client;
+        this.uri = uri;
+    }
+
+    /**
+     * RFC 7230 5.3.1.  origin-form
+     *
+     * If the target URI's path component is
+     * empty, the client MUST send "/" as the path within the origin-form of
+     * request-target.
+     */
+    @Test
+    void emptyPath() throws Exception {
+        String received = client
+                .manualRequest(
+                        """
+                                GET   HTTP/1.1
+                                Host: localhost:%d
+                                Accept: */*
+                                Connection: keep-alive
+
+                                """, uri.getPort())
+                .receive();
+        assertThat(received, startsWith("HTTP/1.1 400 Bad Request"));
+    }
+
+    @ParameterizedTest(name = "{index} GET {0} HTTP/1.1")
+    @ValueSource(strings = {"\r", "\t", "\t\t\t", "<", "     "})
+    void illegalPath(String param) throws IOException {
+        String received = client
+                .manualRequest(
+                        """
+                                GET %s HTTP/1.1
+                                Host: localhost:%d
+                                Accept: */*
+                                Connection: keep-alive
+
+                                """, param, uri.getPort())
+                .receive();
+        assertThat(received, startsWith("HTTP/1.1 400 Bad Request"));
+    }
+}
diff --git a/webserver/webserver/src/main/java/io/helidon/webserver/http1/Http1Prologue.java b/webserver/webserver/src/main/java/io/helidon/webserver/http1/Http1Prologue.java
index ecf9c8e8460..8ad76e03c1d 100644
--- a/webserver/webserver/src/main/java/io/helidon/webserver/http1/Http1Prologue.java
+++ b/webserver/webserver/src/main/java/io/helidon/webserver/http1/Http1Prologue.java
@@ -131,6 +131,9 @@ private HttpPrologue doRead() {
             if (eol == maxLen) {
                 throw badRequest("Prologue size exceeded", method.text(), path, "", "");
             }
+            if (path.isBlank()) {
+                throw badRequest("Path can't be empty", method.text(), path, "", "");
+            }
             protocol = reader.readAsciiString(eol);
             reader.skip(2); // \r\n
         } catch (DataReader.IncorrectNewLineException e) {