apache · daviftorres · Oct 21, 2025 · Nov 4, 2025 · Nov 18, 2025 · Mar 6, 2026
diff --git a/server/src/main/java/com/cloud/user/DomainManagerImpl.java b/server/src/main/java/com/cloud/user/DomainManagerImpl.java
@@ -91,6 +91,7 @@
 import com.cloud.storage.dao.VolumeDao;
 import com.cloud.user.dao.AccountDao;
 import com.cloud.utils.Pair;
+import com.cloud.utils.StringUtils;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.db.DB;
 import com.cloud.utils.db.Filter;
@@ -108,8 +109,6 @@
 import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.dao.VMInstanceDao;
 
-import org.apache.commons.lang3.StringUtils;
-
 @Component
 public class DomainManagerImpl extends ManagerBase implements DomainManager, DomainService {
 
@@ -958,7 +957,7 @@ private void updateDomainChildren(DomainVO domain, String updatedDomainPrefix) {
         List<DomainVO> domainChildren = _domainDao.findAllChildren(domain.getPath(), domain.getId());
         // for each child, update the path
         for (DomainVO dom : domainChildren) {
-            dom.setPath(dom.getPath().replaceFirst(domain.getPath(), updatedDomainPrefix));
+            dom.setPath(StringUtils.replaceOnce(dom.getPath(), domain.getPath(), updatedDomainPrefix));
             _domainDao.update(dom.getId(), dom);
         }
     }
@@ -1094,7 +1093,7 @@ protected void validateNewParentDomainCanAccessResourcesOfDomainToBeMoved(String
         for (Map.Entry<Long, List<String>> entry : idsOfDomainsWithResourcesUsedByDomainToBeMoved.entrySet()) {
             DomainVO domainWithResourceUsedByDomainToBeMoved = _domainDao.findById(entry.getKey());
 
-            Pattern pattern = Pattern.compile(domainWithResourceUsedByDomainToBeMoved.getPath().replace("/", "\\/").concat(".*"));
+            Pattern pattern = Pattern.compile(domainWithResourceUsedByDomainToBeMoved.getPath().replace("/", "\\/").concat(".*")); // This only scaped one Regex metacharacter (/). The wildcard `.` is more common and dangerous in my opinion. 
             Matcher matcher = pattern.matcher(newPathOfDomainToBeMoved);
             if (!matcher.matches()) {
                 domainsOfResourcesInaccessibleToNewParentDomain.put(domainWithResourceUsedByDomainToBeMoved, entry.getValue());