HttpSessionRequestCache#getMatchingRequest passes decoded Request URL to UriComponentsBuilder

[ClausMie]

Hi there!
Thanks for taking a look at this issue. Please let me know if you require more information.
Let's discuss!

Describe the bug

HttpSessionRequestCache#getMatchingRequest relies on org.springframework.web.util.UriComponentsBuilder#fromUriString(String) to be able to handle decoded % characters.

To Reproduce

The org.springframework.web.util.UriComponentsBuilder#fromUriString(String) cannot handle a % followed by characters that result in false %-encoding.

@Test
void unencodedPercent(){
  assertThatRuntimeException().isThrownBy(() -> UriComponentsBuilder.fromUriString("/30 % off"));
}

This leads to a org.springframework.web.util.InvalidUrlException: Bad path when such a request gets to HttpSessionRequestCache#getMatchingRequest.
An encoded request https://example.com/myapp/discounts/30%20%25%20off is returned decoded by UrlUtils#buildRequestUrl(HttpServletRequest.
The UriComponentsBuilder cannot handle this decoded %

Expected behavior
My request does not result in an InvalidUrlException.

[mkleine]

In fact every request containing a properly encoded % sign followed by a non-hex character will cause an exception in line

spring-security/web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java

Line 107 in ec3cc66

|| !UriComponentsBuilder.fromUriString(UrlUtils.buildRequestUrl(request))

as the path of the URI to be checked is decoded as documented

spring-security/web/src/main/java/org/springframework/security/web/util/UrlUtils.java

Line 85 in ec3cc66

* But the requestURI is not decoded, whereas the servletPath and pathInfo are

The decoded URI could be parsed using WHAT_WG parser type but that's not configurable at that line. @marcusdacoregio can you confirm this analysis? You introduced this line in 18e8836