Hi,

While going over the code I noticed that you use string construction for json requests to gerrit.

This is highly risky as users may put special characters within the variables and alter the request to gain access to other functionality the user is authorized. For example message="\", something=\"xxx" will add 'something' to the json as own field.

The code must be refactored to use jackson or any json serialization that handles proper escaping.

Jackson support pojos and serialize into json, the pojo can be a simple map of Map<String, Object> if you do not want to have pojo per use case. Then use mapper.writeValueAsString(pojo) to construct json.

@JsonInclude(JsonInclude.Include.NON_NULL)
class C {
    @JsonProperty
    String property1;
    @JsonProperty
    String property2;
};
ObjectMapper mapper = new ObjectMapper();
C c1 = new C();
c1.property1 = "value1";
String json = mapper.writeValueasString(c1); // request
C c2 = mapper.readValue(json, C.class)       // response