You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by "Thiago H. de Paula Figueiredo" <th...@gmail.com> on 2020/02/21 21:28:01 UTC

Re: Tapestry exposes the list of css/js files in assets

On Thu, Jan 16, 2020 at 6:22 AM Nicolas Bouillon <ni...@bouillon.net>
wrote:

> Hi all,
>

Hello!

Thanks for posting your findings.

It should be noted that Tapestry considers anything under /WEB-INF/assets
are public files. In other words, files which are intended to be seen. So,
while it's not ideal to have file listings, I wouldn't consider something
problematic.


>
> Following a pen-test of our application, it has been raised that the
> list of assets if visible as a directory listing.
>
> For example, we have a javascript file available at this location
> /assets/meta/z58f7f3d4/javascript/library.js but when we access
> /assets/meta/z58f7f3d4/javascript/ the web server lists all files
> available in META-INF.assets.javascript directory of the project.
>
> Do you know how to prevent this listing?
>
> Looks like to me it's happening in
>
> org.apache.tapestry5.internal.services.assets.ClasspathAssetRequestHandler#handleAssetRequest
> and then in
> org.apache.tapestry5.internal.services.ResourceStreamerImpl#streamResource(org.apache.tapestry5.ioc.Resource,
> org.apache.tapestry5.services.assets.StreamableResource,
> java.lang.String,
>
> java.util.Set<org.apache.tapestry5.internal.services.ResourceStreamer.Options>)
>
> Thank you,
> Nicolas.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>

-- 
Thiago