Add minor checks in jetty utils class

Author: adarshsanjeev

server/src/main/java/org/apache/druid/server/JettyUtils.java

@@ -33,9 +33,13 @@ public class JettyUtils
    * Concatenate URI parts, in a way that is useful for proxy servlets.
    *
    * @param base               base part of the uri, like http://example.com (no trailing slash)
-   * @param encodedPath        encoded path, like you would get from HttpServletRequest's getRequestURI
+   * @param encodedPath        encoded path, like you would get from HttpServletRequest's getRequestURI. Must start with
+   *                           a slash.
    * @param encodedQueryString encoded query string, like you would get from HttpServletRequest's getQueryString
+   *
+   * @return rewritten target URI, or null if the URI cannot be rewritten
    */
+  @Nullable
   public static String concatenateForRewrite(
       final String base,
       final String encodedPath,
@@ -44,6 +48,10 @@ public static String concatenateForRewrite(
   {
     // Query string and path are already encoded, no need for anything fancy beyond string concatenation.
 
+    if (!encodedPath.startsWith("/")) {
+      return null;
+    }
+
     final StringBuilder url = new StringBuilder(base).append(encodedPath);
 
     if (encodedQueryString != null) {

server/src/test/java/org/apache/druid/server/AsyncManagementForwardingServletTest.java

@@ -351,12 +351,36 @@ public void testBadProxyDestination() throws Exception
     Assert.assertFalse("overlord called", OVERLORD_EXPECTED_REQUEST.called);
   }
 
+  @Test
+  public void testCoordinatorNoPath() throws Exception
+  {
+    HttpURLConnection connection = ((HttpURLConnection)
+        new URL(StringUtils.format("http://localhost:%d/proxy/coordinator", port)).openConnection());
+    connection.setRequestMethod("GET");
+
+    Assert.assertEquals(403, connection.getResponseCode()); // proxy with no path is not allowed
+    Assert.assertFalse("coordinator called", COORDINATOR_EXPECTED_REQUEST.called);
+    Assert.assertFalse("overlord called", OVERLORD_EXPECTED_REQUEST.called);
+  }
+
+  @Test
+  public void testOverlordNoPath() throws Exception
+  {
+    HttpURLConnection connection = ((HttpURLConnection)
+        new URL(StringUtils.format("http://localhost:%d/proxy/overlord", port)).openConnection());
+    connection.setRequestMethod("GET");
+
+    Assert.assertEquals(403, connection.getResponseCode()); // proxy with no path is not allowed
+    Assert.assertFalse("coordinator called", COORDINATOR_EXPECTED_REQUEST.called);
+    Assert.assertFalse("overlord called", OVERLORD_EXPECTED_REQUEST.called);
+  }
+
   @Test
   public void testCoordinatorLeaderUnknown() throws Exception
   {
     isValidLeader = false;
     HttpURLConnection connection = ((HttpURLConnection)
-        new URL(StringUtils.format("http://localhost:%d/druid/coordinator", port)).openConnection());
+        new URL(StringUtils.format("http://localhost:%d/druid/coordinator/status", port)).openConnection());
     connection.setRequestMethod("GET");
 
     Assert.assertEquals(503, connection.getResponseCode());
@@ -369,7 +393,7 @@ public void testOverlordLeaderUnknown() throws Exception
   {
     isValidLeader = false;
     HttpURLConnection connection = ((HttpURLConnection)
-        new URL(StringUtils.format("http://localhost:%d/druid/indexer", port)).openConnection());
+        new URL(StringUtils.format("http://localhost:%d/druid/indexer/status", port)).openConnection());
     connection.setRequestMethod("GET");
 
     Assert.assertEquals(503, connection.getResponseCode());

server/src/test/java/org/apache/druid/server/JettyUtilsTest.java

@@ -36,4 +36,28 @@ public void testConcatenateForRewrite()
         )
     );
   }
+
+  @Test
+  public void testConcatenateForRewriteEmptyPath()
+  {
+    Assert.assertNull(
+        JettyUtils.concatenateForRewrite(
+            "http://example.com",
+            "",
+            "q=baz%20qux"
+        )
+    );
+  }
+
+  @Test
+  public void testConcatenateForRewriteInvalidPath()
+  {
+    Assert.assertNull(
+        JettyUtils.concatenateForRewrite(
+            "http://example.com",
+            "foo%20bar", // path must start with '/'
+            "q=baz%20qux"
+        )
+    );
+  }
 }