You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tapestry.apache.org by th...@apache.org on 2021/03/09 12:16:22 UTC
[tapestry-5] 01/02: TAP5-2665: Disallow requests for folders in the
classpath by default
This is an automated email from the ASF dual-hosted git repository.
thiagohp pushed a commit to branch 5.6.x
in repository https://gitbox.apache.org/repos/asf/tapestry-5.git
commit 213c4f9e228ab834c801d048b82e7610cbb00786
Author: Thiago H. de Paula Figueiredo <th...@arsmachina.com.br>
AuthorDate: Tue Mar 9 08:42:30 2021 -0300
TAP5-2665: Disallow requests for folders in the classpath by default
---
.../assets/ClasspathAssetRequestHandler.java | 12 +++-
.../org/apache/tapestry5/modules/AssetsModule.java | 80 ++++++++++++++++++++--
2 files changed, 85 insertions(+), 7 deletions(-)
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
index ea92e26..6e59f89 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
@@ -22,6 +22,8 @@ import org.apache.tapestry5.services.ClasspathAssetProtectionRule;
import org.apache.tapestry5.services.Request;
import org.apache.tapestry5.services.Response;
import org.apache.tapestry5.services.assets.AssetRequestHandler;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.io.IOException;
@@ -33,6 +35,9 @@ import java.io.IOException;
*/
public class ClasspathAssetRequestHandler implements AssetRequestHandler
{
+
+ private final static Logger LOGGER = LoggerFactory.getLogger(ClasspathAssetRequestHandler.class);
+
private final ResourceStreamer streamer;
private final AssetSource assetSource;
@@ -56,8 +61,13 @@ public class ClasspathAssetRequestHandler implements AssetRequestHandler
ChecksumPath path = new ChecksumPath(streamer, baseFolder, extraPath);
final boolean handled;
- if (classpathAssetProtectionRule.block(path.resourcePath))
+ if (classpathAssetProtectionRule.block(path.resourcePath) && !path.resourcePath.equals(ChecksumPath.NON_EXISTING_RESOURCE))
{
+ if (LOGGER.isWarnEnabled())
+ {
+ LOGGER.warn("Blocked request for classpath asset '" + path.resourcePath +
+ "'. Contribute a new ClasspathAssetProtectionRule if you need this asset to be publicly accessible.");
+ }
handled = false;
}
else
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
index 8175500..44e5907 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
@@ -18,16 +18,71 @@ import java.util.Map;
import org.apache.tapestry5.SymbolConstants;
import org.apache.tapestry5.internal.AssetConstants;
import org.apache.tapestry5.internal.InternalConstants;
-import org.apache.tapestry5.internal.services.*;
-import org.apache.tapestry5.internal.services.assets.*;
+import org.apache.tapestry5.internal.services.AssetSourceImpl;
+import org.apache.tapestry5.internal.services.ClasspathAssetAliasManagerImpl;
+import org.apache.tapestry5.internal.services.ClasspathAssetFactory;
+import org.apache.tapestry5.internal.services.ContextAssetFactory;
+import org.apache.tapestry5.internal.services.ExternalUrlAssetFactory;
+import org.apache.tapestry5.internal.services.IdentityAssetPathConverter;
+import org.apache.tapestry5.internal.services.RequestConstants;
+import org.apache.tapestry5.internal.services.ResourceStreamer;
+import org.apache.tapestry5.internal.services.assets.AssetChecksumGeneratorImpl;
+import org.apache.tapestry5.internal.services.assets.AssetPathConstructorImpl;
+import org.apache.tapestry5.internal.services.assets.CSSURLRewriter;
+import org.apache.tapestry5.internal.services.assets.ClasspathAssetRequestHandler;
+import org.apache.tapestry5.internal.services.assets.CompressionAnalyzerImpl;
+import org.apache.tapestry5.internal.services.assets.ContentTypeAnalyzerImpl;
+import org.apache.tapestry5.internal.services.assets.ContextAssetRequestHandler;
+import org.apache.tapestry5.internal.services.assets.JavaScriptStackAssembler;
+import org.apache.tapestry5.internal.services.assets.JavaScriptStackAssemblerImpl;
+import org.apache.tapestry5.internal.services.assets.JavaScriptStackMinimizeDisabler;
+import org.apache.tapestry5.internal.services.assets.MasterResourceMinimizer;
+import org.apache.tapestry5.internal.services.assets.ResourceChangeTracker;
+import org.apache.tapestry5.internal.services.assets.ResourceChangeTrackerImpl;
+import org.apache.tapestry5.internal.services.assets.SRSCachingInterceptor;
+import org.apache.tapestry5.internal.services.assets.SRSCompressedCachingInterceptor;
+import org.apache.tapestry5.internal.services.assets.SRSCompressingInterceptor;
+import org.apache.tapestry5.internal.services.assets.SRSMinimizingInterceptor;
+import org.apache.tapestry5.internal.services.assets.StackAssetRequestHandler;
+import org.apache.tapestry5.internal.services.assets.StreamableResourceSourceImpl;
+import org.apache.tapestry5.internal.services.assets.UTF8ForTextAssets;
import org.apache.tapestry5.internal.services.messages.ClientLocalizationMessageResource;
-import org.apache.tapestry5.ioc.*;
-import org.apache.tapestry5.ioc.annotations.*;
+import org.apache.tapestry5.ioc.MappedConfiguration;
+import org.apache.tapestry5.ioc.OperationTracker;
+import org.apache.tapestry5.ioc.OrderedConfiguration;
+import org.apache.tapestry5.ioc.Resource;
+import org.apache.tapestry5.ioc.ServiceBinder;
+import org.apache.tapestry5.ioc.annotations.Autobuild;
+import org.apache.tapestry5.ioc.annotations.Contribute;
+import org.apache.tapestry5.ioc.annotations.Decorate;
+import org.apache.tapestry5.ioc.annotations.Marker;
+import org.apache.tapestry5.ioc.annotations.Order;
+import org.apache.tapestry5.ioc.annotations.Primary;
+import org.apache.tapestry5.ioc.annotations.Symbol;
import org.apache.tapestry5.ioc.services.ChainBuilder;
import org.apache.tapestry5.ioc.services.FactoryDefaults;
import org.apache.tapestry5.ioc.services.SymbolProvider;
-import org.apache.tapestry5.services.*;
-import org.apache.tapestry5.services.assets.*;
+import org.apache.tapestry5.services.ApplicationGlobals;
+import org.apache.tapestry5.services.AssetFactory;
+import org.apache.tapestry5.services.AssetPathConverter;
+import org.apache.tapestry5.services.AssetRequestDispatcher;
+import org.apache.tapestry5.services.AssetSource;
+import org.apache.tapestry5.services.ClasspathAssetAliasManager;
+import org.apache.tapestry5.services.ClasspathAssetProtectionRule;
+import org.apache.tapestry5.services.ClasspathProvider;
+import org.apache.tapestry5.services.ComponentClassResolver;
+import org.apache.tapestry5.services.ContextProvider;
+import org.apache.tapestry5.services.Core;
+import org.apache.tapestry5.services.Dispatcher;
+import org.apache.tapestry5.services.Request;
+import org.apache.tapestry5.services.ResponseCompressionAnalyzer;
+import org.apache.tapestry5.services.assets.AssetChecksumGenerator;
+import org.apache.tapestry5.services.assets.AssetPathConstructor;
+import org.apache.tapestry5.services.assets.AssetRequestHandler;
+import org.apache.tapestry5.services.assets.CompressionAnalyzer;
+import org.apache.tapestry5.services.assets.ContentTypeAnalyzer;
+import org.apache.tapestry5.services.assets.ResourceMinimizer;
+import org.apache.tapestry5.services.assets.StreamableResourceSource;
import org.apache.tapestry5.services.javascript.JavaScriptStackSource;
import org.apache.tapestry5.services.messages.ComponentMessagesSource;
@@ -374,6 +429,19 @@ public class AssetsModule
configuration.add("PropertiesFile", propertiesFileRule);
ClasspathAssetProtectionRule xmlFileRule = (s) -> s.toLowerCase().endsWith(".xml");
configuration.add("XMLFile", xmlFileRule);
+ ClasspathAssetProtectionRule folderRule = (s) -> isFolderToBlock(s);
+ configuration.add("Folder", folderRule);
+ }
+
+ final private static boolean isFolderToBlock(String path)
+ {
+ path = path.replace('\\', '/');
+ final int lastIndex = path.lastIndexOf('/');
+ if (lastIndex >= 0)
+ {
+ path = path.substring(lastIndex);
+ }
+ return !path.contains(".");
}
}