Skip to content

Clarify raw vs normalized path usage in Vert.x Core documentation #5824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mathias82 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Clarify raw vs normalized path usage in Vert.x Core documentation #5824

mathias82 wants to merge 1 commit into from

Conversation

@mathias82
Copy link

@mathias82 mathias82 commented Nov 28, 2025

Motivation

Developers often assume that HttpServerRequest#path() returns a normalized
version of the request path. However, this value reflects the raw path sent
by the client and may contain repeated separators or path traversal markers
(e.g. // or ..). This misunderstanding can lead to incorrect or unsafe
path-based logic, especially when working with Vert.x Web routing.

What this PR does

This PR updates the Vert.x Core HTTP documentation to:

  • state clearly that HttpServerRequest#path() returns the raw path
  • highlight the presence of non-normalized values such as // or ..
  • provide guidance that security-sensitive checks and route comparisons
    should use RoutingContext#normalizedPath() when running under Vert.x Web
  • ensure consistency with the updated Vert.x Web documentation

Why this matters

Vert.x Web performs canonicalization before matching routes. Using the raw
path for authorization, auditing, or routing decisions may produce unexpected
results or introduce subtle bugs.

By documenting this distinction in Vert.x Core, this PR aligns expectations
and prevents misuse of HttpServerRequest#path() in scenarios where a
normalized path is required.

Related work

This PR contains documentation-only changes.
@mathias82 mathias82 force-pushed the docs-normalized-path-guidance branch from accc79d to d38d1d9 Compare November 28, 2025 19:22
@mathias82 mathias82 mentioned this pull request Nov 28, 2025
Open
@sberyozkin
Copy link

sberyozkin commented Nov 28, 2025

CC @vietj @cescoffier
@mathias82 mathias82 force-pushed the docs-normalized-path-guidance branch 2 times, most recently from d7f59da to 8999656 Compare November 28, 2025 20:42
vietj
vietj reviewed Nov 28, 2025
View reviewed changes
Copy link
Member

@vietj vietj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also add such information in the javadoc itself of HttpServerRequest
@mathias82 mathias82 force-pushed the docs-normalized-path-guidance branch from d437b35 to 07e37c8 Compare November 28, 2025 23:58
@mathias82
docs(core): clarify raw request path vs normalized path usage
3e832b9 
Signed-off-by: MatthaiosStavrou <m_stauroy@hotmail.com>
@mathias82 mathias82 force-pushed the docs-normalized-path-guidance branch from baed12c to 3e832b9 Compare November 29, 2025 00:07
@mathias82
Copy link
Author

mathias82 commented Nov 29, 2025
edited
Loading

I think we should also add such information in the javadoc itself of HttpServerRequest

@vietj Added a Javadoc note to path() explaining that it returns the raw request path (not normalized) and should not be used directly for security-sensitive logic. No functional changes.
@vietj vietj added this to the 5.1.0 milestone Dec 1, 2025
@mathias82 mathias82 requested a review from vietj December 25, 2025 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@mathias82 @sberyozkin @vietj