You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tapestry.apache.org by th...@apache.org on 2021/03/09 12:42:24 UTC

[tapestry-5] branch master updated: TAP5-2665: Disallow requests for folders in the classpath by default

This is an automated email from the ASF dual-hosted git repository.

thiagohp pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tapestry-5.git


The following commit(s) were added to refs/heads/master by this push:
     new ce9c2e8  TAP5-2665: Disallow requests for folders in the classpath by default
ce9c2e8 is described below

commit ce9c2e8e49669a7d7e68c347f1d95e79ece74ae4
Author: Thiago H. de Paula Figueiredo <th...@arsmachina.com.br>
AuthorDate: Tue Mar 9 08:42:30 2021 -0300

    TAP5-2665: Disallow requests for folders in the classpath by default
---
 .../internal/services/assets/ChecksumPath.java     |  2 +-
 .../assets/ClasspathAssetRequestHandler.java       | 12 ++++-
 .../org/apache/tapestry5/modules/AssetsModule.java | 55 +++++++++++++++++++---
 3 files changed, 61 insertions(+), 8 deletions(-)

diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java
index 69624d4..95e907e 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java
@@ -27,7 +27,7 @@ import java.io.IOException;
  */
 public class ChecksumPath
 {
-    private static final String NON_EXISTING_RESOURCE = "_________________________";
+    static final String NON_EXISTING_RESOURCE = "_________________________";
 
     public final String checksum;
 
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
index 981774f..2e745de 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
@@ -22,6 +22,8 @@ import org.apache.tapestry5.services.AssetSource;
 import org.apache.tapestry5.services.ClasspathAssetAliasManager;
 import org.apache.tapestry5.services.ClasspathAssetProtectionRule;
 import org.apache.tapestry5.services.assets.AssetRequestHandler;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 
@@ -33,6 +35,9 @@ import java.io.IOException;
  */
 public class ClasspathAssetRequestHandler implements AssetRequestHandler
 {
+    
+    private final static Logger LOGGER = LoggerFactory.getLogger(ClasspathAssetRequestHandler.class);
+    
     private final ResourceStreamer streamer;
 
     private final AssetSource assetSource;
@@ -56,8 +61,13 @@ public class ClasspathAssetRequestHandler implements AssetRequestHandler
         ChecksumPath path = new ChecksumPath(streamer, baseFolder, extraPath);
         
         final boolean handled;
-        if (classpathAssetProtectionRule.block(path.resourcePath)) 
+        if (classpathAssetProtectionRule.block(path.resourcePath) && !path.resourcePath.equals(ChecksumPath.NON_EXISTING_RESOURCE)) 
         {
+            if (LOGGER.isWarnEnabled()) 
+            {
+                LOGGER.warn("Blocked request for classpath asset '" + path.resourcePath + 
+                        "'. Contribute a new ClasspathAssetProtectionRule if you need this asset to be publicly accessible.");
+            }
             handled = false;
         }
         else
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
index 49ecfdc..72091dd 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
@@ -16,9 +16,9 @@ import java.util.List;
 import java.util.Map;
 
 import org.apache.tapestry5.SymbolConstants;
-import org.apache.tapestry5.beanmodel.internal.services.*;
-import org.apache.tapestry5.beanmodel.services.*;
-import org.apache.tapestry5.commons.*;
+import org.apache.tapestry5.commons.MappedConfiguration;
+import org.apache.tapestry5.commons.OrderedConfiguration;
+import org.apache.tapestry5.commons.Resource;
 import org.apache.tapestry5.http.TapestryHttpSymbolConstants;
 import org.apache.tapestry5.http.internal.TapestryHttpInternalConstants;
 import org.apache.tapestry5.http.services.ApplicationGlobals;
@@ -35,11 +35,36 @@ import org.apache.tapestry5.internal.services.ExternalUrlAssetFactory;
 import org.apache.tapestry5.internal.services.IdentityAssetPathConverter;
 import org.apache.tapestry5.internal.services.RequestConstants;
 import org.apache.tapestry5.internal.services.ResourceStreamer;
-import org.apache.tapestry5.internal.services.assets.*;
+import org.apache.tapestry5.internal.services.assets.AssetChecksumGeneratorImpl;
+import org.apache.tapestry5.internal.services.assets.AssetPathConstructorImpl;
+import org.apache.tapestry5.internal.services.assets.CSSURLRewriter;
+import org.apache.tapestry5.internal.services.assets.ClasspathAssetRequestHandler;
+import org.apache.tapestry5.internal.services.assets.CompressionAnalyzerImpl;
+import org.apache.tapestry5.internal.services.assets.ContentTypeAnalyzerImpl;
+import org.apache.tapestry5.internal.services.assets.ContextAssetRequestHandler;
+import org.apache.tapestry5.internal.services.assets.JavaScriptStackAssembler;
+import org.apache.tapestry5.internal.services.assets.JavaScriptStackAssemblerImpl;
+import org.apache.tapestry5.internal.services.assets.JavaScriptStackMinimizeDisabler;
+import org.apache.tapestry5.internal.services.assets.MasterResourceMinimizer;
+import org.apache.tapestry5.internal.services.assets.ResourceChangeTracker;
+import org.apache.tapestry5.internal.services.assets.ResourceChangeTrackerImpl;
+import org.apache.tapestry5.internal.services.assets.SRSCachingInterceptor;
+import org.apache.tapestry5.internal.services.assets.SRSCompressedCachingInterceptor;
+import org.apache.tapestry5.internal.services.assets.SRSCompressingInterceptor;
+import org.apache.tapestry5.internal.services.assets.SRSMinimizingInterceptor;
+import org.apache.tapestry5.internal.services.assets.StackAssetRequestHandler;
+import org.apache.tapestry5.internal.services.assets.StreamableResourceSourceImpl;
+import org.apache.tapestry5.internal.services.assets.UTF8ForTextAssets;
 import org.apache.tapestry5.internal.services.messages.ClientLocalizationMessageResource;
 import org.apache.tapestry5.ioc.OperationTracker;
 import org.apache.tapestry5.ioc.ServiceBinder;
-import org.apache.tapestry5.ioc.annotations.*;
+import org.apache.tapestry5.ioc.annotations.Autobuild;
+import org.apache.tapestry5.ioc.annotations.Contribute;
+import org.apache.tapestry5.ioc.annotations.Decorate;
+import org.apache.tapestry5.ioc.annotations.Marker;
+import org.apache.tapestry5.ioc.annotations.Order;
+import org.apache.tapestry5.ioc.annotations.Primary;
+import org.apache.tapestry5.ioc.annotations.Symbol;
 import org.apache.tapestry5.ioc.services.ChainBuilder;
 import org.apache.tapestry5.ioc.services.FactoryDefaults;
 import org.apache.tapestry5.ioc.services.SymbolProvider;
@@ -53,7 +78,12 @@ import org.apache.tapestry5.services.ClasspathProvider;
 import org.apache.tapestry5.services.ComponentClassResolver;
 import org.apache.tapestry5.services.ContextProvider;
 import org.apache.tapestry5.services.Core;
-import org.apache.tapestry5.services.assets.*;
+import org.apache.tapestry5.services.assets.AssetChecksumGenerator;
+import org.apache.tapestry5.services.assets.AssetPathConstructor;
+import org.apache.tapestry5.services.assets.AssetRequestHandler;
+import org.apache.tapestry5.services.assets.ContentTypeAnalyzer;
+import org.apache.tapestry5.services.assets.ResourceMinimizer;
+import org.apache.tapestry5.services.assets.StreamableResourceSource;
 import org.apache.tapestry5.services.javascript.JavaScriptStackSource;
 import org.apache.tapestry5.services.messages.ComponentMessagesSource;
 
@@ -399,6 +429,19 @@ public class AssetsModule
         configuration.add("PropertiesFile", propertiesFileRule);
         ClasspathAssetProtectionRule xmlFileRule = (s) -> s.toLowerCase().endsWith(".xml");
         configuration.add("XMLFile", xmlFileRule);
+        ClasspathAssetProtectionRule folderRule = (s) -> isFolderToBlock(s);
+        configuration.add("Folder", folderRule);
+    }
+    
+    final private static boolean isFolderToBlock(String path) 
+    {
+        path = path.replace('\\', '/');
+        final int lastIndex = path.lastIndexOf('/');
+        if (lastIndex >= 0)
+        {
+            path = path.substring(lastIndex);
+        }
+        return !path.contains(".");
     }
     
 }