NUTCH-3161 Address Sonarcloud High and Medium Security Hotspots

[lewismc]

PR to address NUTCH-3161. This patch addresses following Security Hotspota

High

(false positives): Exclude plugin resource directories from analysis in sonar-project.properties. No Java code lives in conf, data, or sample under src/plugin/**, so these paths are excluded from scanning., and

Medium

• ParseOutputFormat (src/java/.../ParseOutputFormat.java): Replace regex " *, *" for db.parsemeta.to.crawldb with comma-split + trim in getParseMetaToCrawlDBKeys(). Add TestParseOutputFormat with tests for empty, single, comma-separated, trim, and empty-segment handling.
• HtmlParser (parse-html plugin): Remove metaPattern, charsetPattern, and charsetPatternHTML5. Use linear string parsing in extractCharsetFromMeta() / extractCharsetValue() for HTML4 and HTML5 meta charset detection. Add testExtractCharsetFromMeta in existing TestHtmlParser.
• JSParseFilter (parse-js plugin): Remove STRING_PATTERN and URI_PATTERN. Use extractQuotedStrings() and looksLikeUri() (linear scan / simple checks). Add testExtractQuotedStrings and testLooksLikeUri in existing TestJSParseFilter.
• UrlValidator (urlfilter-validator plugin): Remove URL_PATTERN and AUTHORITY_PATTERN. Use java.net.URI for URL structure and parseAuthority() for host/port. Remove unused isBlankOrNull. Add testParseAuthority in existingTestUrlValidator.

Thanks for any review.

[lewismc]

Confirmed this PR addresses the security hotspots and passes tests.

[sonarqubecloud]

Quality Gate failed

Failed conditions
62.6% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

[sebastian-nagel]

Hi @lewismc, thanks!

So far, this is only a partial review. See the inline comments. Without having tried it, I expect some regressions, e.g. when extracting the charset from <meta charset = "UTF-8" />. Replacing regular expressions by hand-written scanner code is difficult and makes code maintenance much more difficult. Maybe use a scanner generator instead, e.g. Ragel? Alternatively, we could use RE2/J or dk.brics.automaton (see urlfilter-automaton) which are faster (and more safe) because they do not backtrack.

In addition, the URL validator needs a more substantial fix, see NUTCH-2986.

[sebastian-nagel]

Should add Locale.ROOT.

[sebastian-nagel]

The content bytes are converted into a String assuming ASCII encoding. If a "hand-crafted" scanner is used, could directly operate on the bytes avoiding the conversion to a string. Alternatively, could use a CharSequence wrapping the bytes, cf. ByteArrayCharSequence. But this can be an improvement for later.

[sebastian-nagel]

Assuming that indexes in the lower-case string and the original one are the same might be dangerous, for example, in German there is the pair "ß" <> "SS" (would held for uppercasing the string). See Unicode TR #21 Case Mappings: "Case mappings may produce strings of different length than the original."

[sebastian-nagel]

Of course, if we strictly ensure that the method is used on String only including ASCII characters and using always the root locale, this should be safe.

[sebastian-nagel]

Same: must use Locale.ROOT.

[sebastian-nagel]

The regex allows white space between "charset" and "=".

[sebastian-nagel]

It's a string from the configuration, it's controlled by the user and should be short. It's parsed once, so this is for sure not critical.

Apart from that should simply rely on getTrimmedStrings.

[sebastian-nagel]

\\s matches more characters than blank (U+0020) and the tab character.