Merge branch 'FME-8434-sanitizer-fix' into FME-9687-integration

gthea · gthea · commit d63ae0b54ae3 · 2025-08-27T14:57:32.000-03:00
diff --git a/src/main/java/io/split/android/client/fallback/FallbacksSanitizerImpl.java b/src/main/java/io/split/android/client/fallback/FallbacksSanitizerImpl.java
@@ -4,6 +4,7 @@
 
 import java.util.HashMap;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 import io.split.android.client.utils.logger.Logger;
 
@@ -15,6 +16,8 @@ class FallbacksSanitizerImpl implements FallbacksSanitizer {
 
     private static final int MAX_FLAG_NAME_LENGTH = 100;
     private static final int MAX_TREATMENT_LENGTH = 100;
+    private static final String TREATMENT_REGEXP = "^[0-9]+[.a-zA-Z0-9_-]*$|^[a-zA-Z]+[a-zA-Z0-9_-]*$";
+    private static final Pattern TREATMENT_PATTERN = Pattern.compile(TREATMENT_REGEXP);
 
     /**
      * Sanitizes the provided fallback configuration by applying validation rules.
@@ -93,6 +96,7 @@ private static boolean isValidTreatment(FallbackTreatment treatment) {
         if (treatment == null || treatment.getTreatment() == null) {
             return false;
         }
-        return treatment.getTreatment().length() <= MAX_TREATMENT_LENGTH;
+        String value = treatment.getTreatment();
+        return value.length() <= MAX_TREATMENT_LENGTH && TREATMENT_PATTERN.matcher(value).matches();
     }
 }
diff --git a/src/test/java/io/split/android/client/fallback/FallbacksSanitizerImplTest.java b/src/test/java/io/split/android/client/fallback/FallbacksSanitizerImplTest.java
@@ -2,6 +2,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -59,4 +60,63 @@ public void dropsInvalidGlobalTreatment() {
         assertNull(sanitized.getGlobal());
         assertEquals(0, sanitized.getByFlag().size());
     }
+
+    @Test
+    public void byFlagTreatmentIsDroppedWhenInvalidFormat() {
+        Map<String, FallbackTreatment> byFlag = new HashMap<>();
+        byFlag.put(VALID_FLAG, new FallbackTreatment("on.off"));
+        byFlag.put("valid_num_dot", new FallbackTreatment("123.on"));
+        byFlag.put("null_treatment", new FallbackTreatment(null));
+
+        FallbackConfiguration config = FallbackConfiguration.builder()
+                .global(null)
+                .byFlag(byFlag)
+                .build();
+
+        FallbackConfiguration sanitized = mSanitizer.sanitize(config);
+
+        // Only the valid one should remain
+        assertEquals(1, sanitized.getByFlag().size());
+        assertEquals("123.on", sanitized.getByFlag().get("valid_num_dot").getTreatment());
+    }
+
+    @Test
+    public void globalTreatmentIsDroppedWhenInvalidFormat() {
+        Map<String, FallbackTreatment> byFlag = new HashMap<>();
+        byFlag.put(VALID_FLAG, new FallbackTreatment("on_1-2"));
+        byFlag.put("null_treatment", new FallbackTreatment(null));
+
+        FallbackConfiguration config = FallbackConfiguration.builder()
+                // Global invalid due to regex (letters cannot be followed by '.')
+                .global(new FallbackTreatment("on.off"))
+                .byFlag(byFlag)
+                .build();
+
+        FallbackConfiguration sanitized = mSanitizer.sanitize(config);
+
+        assertNull(sanitized.getGlobal());
+        // Ensure only the valid by-flag entry is preserved
+        assertEquals(1, sanitized.getByFlag().size());
+        assertEquals("on_1-2", sanitized.getByFlag().get(VALID_FLAG).getTreatment());
+    }
+
+    @Test
+    public void validFormatTreatmentIsNotDropped() {
+        Map<String, FallbackTreatment> byFlag = new HashMap<>();
+        byFlag.put("numWithDot", new FallbackTreatment("123.on"));
+        byFlag.put(VALID_FLAG, new FallbackTreatment("on_1-2"));
+
+        FallbackConfiguration config = FallbackConfiguration.builder()
+                .global(new FallbackTreatment("on"))
+                .byFlag(byFlag)
+                .build();
+
+        FallbackConfiguration sanitized = mSanitizer.sanitize(config);
+
+        assertEquals(2, sanitized.getByFlag().size());
+        assertTrue(sanitized.getByFlag().containsKey("numWithDot"));
+        assertEquals("123.on", sanitized.getByFlag().get("numWithDot").getTreatment());
+        assertEquals("on_1-2", sanitized.getByFlag().get(VALID_FLAG).getTreatment());
+        assertEquals("on", sanitized.getGlobal().getTreatment());
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`
`5`	`5`	`import java.util.HashMap;`
`6`	`6`	`import java.util.Map;`
	`7`	`+import java.util.regex.Pattern;`
`7`	`8`
`8`	`9`	`import io.split.android.client.utils.logger.Logger;`
`9`	`10`
`@@ -15,6 +16,8 @@ class FallbacksSanitizerImpl implements FallbacksSanitizer {`
`15`	`16`
`16`	`17`	`private static final int MAX_FLAG_NAME_LENGTH = 100;`
`17`	`18`	`private static final int MAX_TREATMENT_LENGTH = 100;`
	`19`	`+ private static final String TREATMENT_REGEXP = "^[0-9]+[.a-zA-Z0-9_-]$\|^[a-zA-Z]+[a-zA-Z0-9_-]$";`
	`20`	`+ private static final Pattern TREATMENT_PATTERN = Pattern.compile(TREATMENT_REGEXP);`
`18`	`21`
`19`	`22`	`/**`
`20`	`23`	`* Sanitizes the provided fallback configuration by applying validation rules.`
`@@ -93,6 +96,7 @@ private static boolean isValidTreatment(FallbackTreatment treatment) {`
`93`	`96`	`if (treatment == null \|\| treatment.getTreatment() == null) {`
`94`	`97`	`return false;`
`95`	`98`	`}`
`96`		`- return treatment.getTreatment().length() <= MAX_TREATMENT_LENGTH;`
	`99`	`+ String value = treatment.getTreatment();`
	`100`	`+ return value.length() <= MAX_TREATMENT_LENGTH && TREATMENT_PATTERN.matcher(value).matches();`
`97`	`101`	`}`
`98`	`102`	`}`