Strip matrix parameters from request paths during HTTP security polic… by gsmet · Pull Request #53930 · quarkusio/quarkus

gsmet · 2026-05-04T09:45:02Z

…y matching

Matrix parameters (semicolon-delimited values in URL path segments, e.g. /api;v=1/resource) could bypass HTTP security policy path matching. This commit strips matrix parameters before matching across all security-relevant paths: HTTP policy matcher, Keycloak policy enforcer, OIDC tenant resolver, CSRF filter, and Undertow servlet policy.

Additionally, the build now fails if an HTTP security policy path contains a literal semicolon character.

…y matching Matrix parameters (semicolon-delimited values in URL path segments, e.g. /api;v=1/resource) could bypass HTTP security policy path matching. This commit strips matrix parameters before matching across all security-relevant paths: HTTP policy matcher, Keycloak policy enforcer, OIDC tenant resolver, CSRF filter, and Undertow servlet policy. Additionally, the build now fails if an HTTP security policy path contains a literal semicolon character.

quarkus-bot · 2026-05-04T09:45:07Z

Thanks for your pull request!

Your pull request does not follow our editorial rules. Could you have a look?

title should not end up with ellipsis (make sure the title is complete)

_{This message is automatically generated by a bot.}

quarkus-bot · 2026-05-04T10:21:22Z

Status for workflow `Quarkus Documentation CI`

This is the status report for running Quarkus Documentation CI on commit 363d53a.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

github-actions · 2026-05-04T10:28:54Z

🙈 The PR is closed and the preview is expired.

quarkus-bot · 2026-05-04T14:53:35Z

Status for workflow `Quarkus CI`

This is the status report for running Quarkus CI on commit 363d53a.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

Flaky tests - Develocity

⚙️ JVM Tests - JDK 17

📦 extensions/smallrye-reactive-messaging-kafka/deployment

❌ io.quarkus.smallrye.reactivemessaging.kafka.deployment.testing.KafkaDevServicesContinuousTestingTestCase.testContinuousTestingScenario2 - History

org.testcontainers.containers.ContainerLaunchException: Container startup failed for image docker.io/library/redis:7 - java.util.concurrent.CompletionException

Details

java.util.concurrent.CompletionException: org.testcontainers.containers.ContainerLaunchException: Container startup failed for image docker.io/library/redis:7
	at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:315)
	at java.base/java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:320)
	at java.base/java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1807)
	at java.base/java.util.concurrent.CompletableFuture$AsyncRun.exec(CompletableFuture.java:1796)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182)
	at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655)

⚙️ Gradle Tests - JDK 17 Windows

📦 integration-tests/gradle

❌ io.quarkus.gradle.devmode.IncludedKotlinBuildDevModeTest.main - History

Condition with Lambda expression in io.quarkus.test.devmode.util.DevModeClient was not fulfilled within 1 minutes 30 seconds. - org.awaitility.core.ConditionTimeoutException

Details

org.awaitility.core.ConditionTimeoutException: Condition with Lambda expression in io.quarkus.test.devmode.util.DevModeClient was not fulfilled within 1 minutes  30 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:26)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1160)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1129)
	at io.quarkus.test.devmode.util.DevModeClient.getHttpResponse(DevModeClient.java:164)
	at io.quarkus.gradle.devmode.QuarkusDevGradleTestBase.getHttpResponse(QuarkusDevGradleTestBase.java:170)

⚙️ JVM Integration Tests - JDK 17

📦 integration-tests/reactive-messaging-kafka

❌ io.quarkus.it.kafka.KafkaConnectorTest.testDataForKeyed - History

Assertion condition defined as a Lambda expression in io.quarkus.it.kafka.KafkaConnectorTest expected: <3> but was: <4> within 10 seconds. - org.awaitility.core.ConditionTimeoutException

Details

org.awaitility.core.ConditionTimeoutException: Assertion condition defined as a Lambda expression in io.quarkus.it.kafka.KafkaConnectorTest expected: <3> but was: <4> within 10 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:119)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:31)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1160)
	at org.awaitility.core.ConditionFactory.untilAsserted(ConditionFactory.java:790)
	at io.quarkus.it.kafka.KafkaConnectorTest.testDataForKeyed(KafkaConnectorTest.java:96)
Caused by: org.opentest4j.AssertionFailedError: expected: <3> but was: <4>

Assertion condition defined as a Lambda expression in io.quarkus.it.kafka.KafkaConnectorTest expected: <3> but was: <6> within 10 seconds. - org.awaitility.core.ConditionTimeoutException

Details

org.awaitility.core.ConditionTimeoutException: Assertion condition defined as a Lambda expression in io.quarkus.it.kafka.KafkaConnectorTest expected: <3> but was: <6> within 10 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:119)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:31)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1160)
	at org.awaitility.core.ConditionFactory.untilAsserted(ConditionFactory.java:790)
	at io.quarkus.it.kafka.KafkaConnectorTest.testDataForKeyed(KafkaConnectorTest.java:96)
	Suppressed: java.lang.ClassCastException: class java.util.LinkedHashMap cannot be cast to class io.quarkus.it.kafka.KafkaReceivers$PeopleState (java.util.LinkedHashMap is in module java.base of loader 'bootstrap'; io.quarkus.it.kafka.KafkaReceivers$PeopleState is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusCla...

⚙️ JVM Integration Tests - JDK 17 Windows

📦 integration-tests/opentelemetry-minimal

❌ io.quarkus.it.opentelemetry.minimal.HelloServiceTest.testHello - History

Expected: a value equal to or greater than <1> but: <0> was less than <1> - java.lang.AssertionError

Details

java.lang.AssertionError: 

Expected: a value equal to or greater than <1>
     but: <0> was less than <1>
	at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
	at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:6)
	at io.quarkus.it.opentelemetry.minimal.HelloServiceTest.testHello(HelloServiceTest.java:24)

⚙️ JVM Integration Tests - JDK 25

📦 integration-tests/reactive-messaging-kafka

❌ io.quarkus.it.kafka.KafkaConnectorTest.testDataForKeyed - History

Assertion condition defined as a Lambda expression in io.quarkus.it.kafka.KafkaConnectorTest expected: <3> but was: <4> within 10 seconds. - org.awaitility.core.ConditionTimeoutException

Details

org.awaitility.core.ConditionTimeoutException: Assertion condition defined as a Lambda expression in io.quarkus.it.kafka.KafkaConnectorTest expected: <3> but was: <4> within 10 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:119)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:31)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1160)
	at org.awaitility.core.ConditionFactory.untilAsserted(ConditionFactory.java:790)
	at io.quarkus.it.kafka.KafkaConnectorTest.testDataForKeyed(KafkaConnectorTest.java:96)
Caused by: org.opentest4j.AssertionFailedError: expected: <3> but was: <4>

Assertion condition defined as a Lambda expression in io.quarkus.it.kafka.KafkaConnectorTest expected: <3> but was: <6> within 10 seconds. - org.awaitility.core.ConditionTimeoutException

Details

org.awaitility.core.ConditionTimeoutException: Assertion condition defined as a Lambda expression in io.quarkus.it.kafka.KafkaConnectorTest expected: <3> but was: <6> within 10 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:119)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:31)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1160)
	at org.awaitility.core.ConditionFactory.untilAsserted(ConditionFactory.java:790)
	at io.quarkus.it.kafka.KafkaConnectorTest.testDataForKeyed(KafkaConnectorTest.java:96)
	Suppressed: java.lang.ClassCastException: class java.util.LinkedHashMap cannot be cast to class io.quarkus.it.kafka.KafkaReceivers$PeopleState (java.util.LinkedHashMap is in module java.base of loader 'bootstrap'; io.quarkus.it.kafka.KafkaReceivers$PeopleState is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusCla...

gsmet temporarily deployed to ci May 4, 2026 09:45 — with GitHub Actions Inactive

quarkus-bot Bot added area/docstyle issues related for manual docstyle review area/documentation area/keycloak area/oidc area/rest area/resteasy-classic area/security area/undertow area/vertx labels May 4, 2026

geoand approved these changes May 4, 2026

View reviewed changes

gastaldi added the triage/waiting-for-ci Ready to merge when CI successfully finishes label May 4, 2026

quarkus-bot Bot added the triage/flaky-test label May 4, 2026

geoand merged commit a2f1536 into quarkusio:main May 4, 2026
67 checks passed

quarkus-bot Bot added this to the 3.36 - main milestone May 4, 2026

quarkus-bot Bot removed the triage/waiting-for-ci Ready to merge when CI successfully finishes label May 4, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strip matrix parameters from request paths during HTTP security polic…#53930

Strip matrix parameters from request paths during HTTP security polic…#53930
geoand merged 1 commit intoquarkusio:mainfrom
gsmet:matrix

gsmet commented May 4, 2026

Uh oh!

quarkus-bot Bot commented May 4, 2026

Uh oh!

quarkus-bot Bot commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026 •

edited

Loading

Uh oh!

quarkus-bot Bot commented May 4, 2026 •

edited by github-actions Bot

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

gsmet commented May 4, 2026

Uh oh!

quarkus-bot Bot commented May 4, 2026

Uh oh!

quarkus-bot Bot commented May 4, 2026

Status for workflow Quarkus Documentation CI

Uh oh!

github-actions Bot commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

quarkus-bot Bot commented May 4, 2026 • edited by github-actions Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Status for workflow Quarkus CI

Flaky tests - Develocity

⚙️ JVM Tests - JDK 17

📦 extensions/smallrye-reactive-messaging-kafka/deployment

⚙️ Gradle Tests - JDK 17 Windows

📦 integration-tests/gradle

⚙️ JVM Integration Tests - JDK 17

📦 integration-tests/reactive-messaging-kafka

⚙️ JVM Integration Tests - JDK 17 Windows

📦 integration-tests/opentelemetry-minimal

⚙️ JVM Integration Tests - JDK 25

📦 integration-tests/reactive-messaging-kafka

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Status for workflow `Quarkus Documentation CI`

github-actions Bot commented May 4, 2026 •

edited

Loading

quarkus-bot Bot commented May 4, 2026 •

edited by github-actions Bot

Loading

Status for workflow `Quarkus CI`