chore: add url encoding to appendProperties to prevent injection vulnerabilites

keshavdandeva · keshavdandeva · commit 73c0bcef7494 · 2026-02-18T00:32:26.000Z
diff --git a/google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcUrlUtility.java b/google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcUrlUtility.java
@@ -19,6 +19,10 @@
 import com.google.api.client.util.escape.CharEscapers;
 import com.google.cloud.bigquery.BigQueryOptions;
 import com.google.cloud.bigquery.exception.BigQueryJdbcRuntimeException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -614,7 +618,8 @@ final class BigQueryJdbcUrlUtility {
     }
     map.put(PARTNER_TOKEN_PROPERTY_NAME.toUpperCase(), PARTNER_TOKEN_PROPERTY_NAME);
     map.put(ENDPOINT_OVERRIDES_PROPERTY_NAME.toUpperCase(), ENDPOINT_OVERRIDES_PROPERTY_NAME);
-    map.put(PRIVATE_SERVICE_CONNECT_PROPERTY_NAME.toUpperCase(), PRIVATE_SERVICE_CONNECT_PROPERTY_NAME);
+    map.put(
+        PRIVATE_SERVICE_CONNECT_PROPERTY_NAME.toUpperCase(), PRIVATE_SERVICE_CONNECT_PROPERTY_NAME);
     PROPERTY_NAME_MAP = Collections.unmodifiableMap(map);
   }
 
@@ -701,7 +706,14 @@ static String appendPropertiesToURL(String url, String callerClassName, Properti
     for (Entry<Object, Object> entry : properties.entrySet()) {
       if (entry.getValue() != null && !"".equals(entry.getValue())) {
         LOG.finest("Appending %s with value %s to URL", entry.getKey(), entry.getValue());
-        urlBuilder.append(";").append(entry.getKey()).append("=").append(entry.getValue());
+        try {
+          String encodedValue =
+              URLEncoder.encode((String) entry.getValue(), StandardCharsets.UTF_8.name())
+                  .replace("+", "%20");
+          urlBuilder.append(";").append(entry.getKey()).append("=").append(encodedValue);
+        } catch (UnsupportedEncodingException e) {
+          throw new BigQueryJdbcRuntimeException(e);
+        }
       }
     }
     return urlBuilder.toString();
@@ -872,7 +884,12 @@ static Map<String, String> parseOverrideProperties(String url, String callerClas
     Matcher matcher = pattern.matcher(url);
     String overridePropertiesString;
     if (matcher.find() && matcher.groupCount() >= 1) {
-      overridePropertiesString = matcher.group(2);
+      try {
+        overridePropertiesString =
+            URLDecoder.decode(matcher.group(2), StandardCharsets.UTF_8.name());
+      } catch (UnsupportedEncodingException e) {
+        throw new BigQueryJdbcRuntimeException(e);
+      }
     } else {
       return overrideProps;
     }
diff --git a/google-cloud-bigquery-jdbc/src/test/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcUrlUtilityTest.java b/google-cloud-bigquery-jdbc/src/test/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcUrlUtilityTest.java
@@ -891,4 +891,38 @@ public void testParseRequestReason() {
             "testParseRequestReason");
     assertEquals("testingRequestReason", requestReason);
   }
+
+  @Test
+  public void testAppendPropertiesToURL_propertyWithSemicolon_isEscaped() throws Exception {
+    String url = "jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443;";
+    Properties properties = new Properties();
+    String complexValue = "value;ExtraProperty=injection";
+    properties.setProperty("ProjectId", complexValue);
+
+    String updatedUrl = BigQueryJdbcUrlUtility.appendPropertiesToURL(url, null, properties);
+
+    Map<String, String> parsedProperties = BigQueryJdbcUrlUtility.parseUrl(updatedUrl);
+
+    assertThat(parsedProperties.get("ProjectId")).isEqualTo(complexValue);
+    assertFalse(parsedProperties.containsKey("ExtraProperty"));
+  }
+
+  @Test
+  public void testEndpointOverrides_viaProperties() throws Exception {
+    String url = "jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443";
+    Properties props = new Properties();
+
+    String overrides = "OAUTH2=http://localhost:1234,BIGQUERY=http://localhost:9090";
+    props.setProperty("EndpointOverrides", overrides);
+
+    String updatedUrl = BigQueryJdbcUrlUtility.appendPropertiesToURL(url, null, props);
+
+    Map<String, String> parsedOverrides =
+        BigQueryJdbcUrlUtility.parseOverrideProperties(updatedUrl, null);
+
+    assertThat(parsedOverrides).containsKey("OAUTH2");
+    assertThat(parsedOverrides.get("OAUTH2")).isEqualTo("http://localhost:1234");
+    assertThat(parsedOverrides).containsKey("BIGQUERY");
+    assertThat(parsedOverrides.get("BIGQUERY")).isEqualTo("http://localhost:9090");
+  }
 }
