Merge pull request #17538 from adavid9

* gh-17538: Polish "Hide loader classes from Tomcat's ServletContext resource paths" Hide loader classes from Tomcat's ServletContext resource paths Closes gh-17538
2019-07-18 17:06:35 +01:00 · 2019-07-18 17:06:35 +01:00 · 173ff87b98
parent b725c60177 591250f75e
commit 173ff87b98
4 changed files with 116 additions and 17 deletions
--- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java
+++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java
@ -31,6 +31,7 @@ import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Set;
+import java.util.stream.Collectors;

 import javax.servlet.ServletContainerInitializer;

@ -88,6 +89,7 @@ import org.springframework.util.StringUtils;
 * @author Andy Wilkinson
 * @author Eddú Meléndez
 * @author Christoffer Sawicki
+ * @author Dawid Antecki
 * @since 2.0.0
 * @see #setPort(int)
 * @see #setContextLifecycleListeners(Collection)
@ -751,7 +753,9 @@ public class TomcatServletWebServerFactory extends AbstractServletWebServerFacto

 		@Override
 		public Set<String> listWebAppPaths(String path) {
-			return this.delegate.listWebAppPaths(path);
+			return this.delegate.listWebAppPaths(path).stream()
+					.filter((webAppPath) -> !webAppPath.startsWith("/org/springframework/boot"))
+					.collect(Collectors.toSet());
 		}

 		@Override
--- a/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/com/example/ResourceHandlingApplication.java
+++ b/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/com/example/ResourceHandlingApplication.java
@ -18,6 +18,8 @@ package com.example;

 import java.io.IOException;
 import java.net.URL;
+import java.util.LinkedHashSet;
+import java.util.Set;

 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@ -38,31 +40,62 @@ import org.springframework.context.annotation.Bean;
@SpringBootApplication
 public class ResourceHandlingApplication {

+	@Bean
+	public ServletRegistrationBean<?> resourceServletRegistration() {
+		ServletRegistrationBean<?> registration = new ServletRegistrationBean<HttpServlet>(new GetResourceServlet());
+		registration.addUrlMappings("/servletContext");
+		return registration;
+	}
+
+	@Bean
+	public ServletRegistrationBean<?> resourcePathsServletRegistration() {
+		ServletRegistrationBean<?> registration = new ServletRegistrationBean<HttpServlet>(
+				new GetResourcePathsServlet());
+		registration.addUrlMappings("/resourcePaths");
+		return registration;
+	}
+
 	public static void main(String[] args) {
 		new SpringApplicationBuilder(ResourceHandlingApplication.class).properties("server.port:0")
 				.listeners(new WebServerPortFileWriter("target/server.port")).run(args);
 	}

-	@Bean
-	public ServletRegistrationBean<?> resourceServletRegistration() {
-		ServletRegistrationBean<?> registration = new ServletRegistrationBean<HttpServlet>(new HttpServlet() {
+	private static final class GetResourcePathsServlet extends HttpServlet {

-			@Override
-			protected void doGet(HttpServletRequest req, HttpServletResponse resp)
-					throws ServletException, IOException {
-				URL resource = getServletContext().getResource(req.getQueryString());
-				if (resource == null) {
-					resp.sendError(404);
-				}
-				else {
-					resp.getWriter().println(resource);
-					resp.getWriter().flush();
+		@Override
+		protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+			collectResourcePaths("/").forEach(resp.getWriter()::println);
+			resp.getWriter().flush();
+		}
+
+		private Set<String> collectResourcePaths(String path) {
+			Set<String> allResourcePaths = new LinkedHashSet<>();
+			Set<String> pathsForPath = getServletContext().getResourcePaths(path);
+			if (pathsForPath != null) {
+				for (String resourcePath : pathsForPath) {
+					allResourcePaths.add(resourcePath);
+					allResourcePaths.addAll(collectResourcePaths(resourcePath));
 				}
 			}
+			return allResourcePaths;
+		}
+
+	}
+
+	private static final class GetResourceServlet extends HttpServlet {
+
+		@Override
+		protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+			URL resource = getServletContext().getResource(req.getQueryString());
+			if (resource == null) {
+				resp.sendError(404);
+			}
+			else {
+				resp.getWriter().println(resource);
+				resp.getWriter().flush();
+			}
+		}

-		});
-		registration.addUrlMappings("/servletContext");
-		return registration;
 	}

 }
--- a/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/org/springframework/boot/context/embedded/EmbeddedServletContainerWarDevelopmentIntegrationTests.java
+++ b/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/org/springframework/boot/context/embedded/EmbeddedServletContainerWarDevelopmentIntegrationTests.java
@ -16,7 +16,13 @@

 package org.springframework.boot.context.embedded;

+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;

 import org.junit.Test;
 import org.junit.runner.RunWith;
@ -67,4 +73,29 @@ public class EmbeddedServletContainerWarDevelopmentIntegrationTests
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 	}

+	@Test
+	public void loaderClassesAreNotAvailableViaResourcePaths() {
+		ResponseEntity<String> entity = this.rest.getForEntity("/resourcePaths", String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(readLines(entity.getBody()))
+				.noneMatch((resourcePath) -> resourcePath.startsWith("/org/springframework/boot/loader"));
+	}
+
+	private List<String> readLines(String input) {
+		if (input == null) {
+			return Collections.emptyList();
+		}
+		List<String> lines = new ArrayList<>();
+		try (BufferedReader reader = new BufferedReader(new StringReader(input))) {
+			String line;
+			while ((line = reader.readLine()) != null) {
+				lines.add(line);
+			}
+			return lines;
+		}
+		catch (IOException ex) {
+			throw new RuntimeException("Failed to read lines from input '" + input + "'");
+		}
+	}
+
 }
--- a/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/org/springframework/boot/context/embedded/EmbeddedServletContainerWarPackagingIntegrationTests.java
+++ b/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/org/springframework/boot/context/embedded/EmbeddedServletContainerWarPackagingIntegrationTests.java
@ -16,7 +16,13 @@

 package org.springframework.boot.context.embedded;

+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;

 import org.junit.Test;
 import org.junit.runner.RunWith;
@ -90,4 +96,29 @@ public class EmbeddedServletContainerWarPackagingIntegrationTests
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
 	}

+	@Test
+	public void loaderClassesAreNotAvailableViaResourcePaths() {
+		ResponseEntity<String> entity = this.rest.getForEntity("/resourcePaths", String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(readLines(entity.getBody()))
+				.noneMatch((resourcePath) -> resourcePath.startsWith("/org/springframework/boot/loader"));
+	}
+
+	private List<String> readLines(String input) {
+		if (input == null) {
+			return Collections.emptyList();
+		}
+		List<String> lines = new ArrayList<>();
+		try (BufferedReader reader = new BufferedReader(new StringReader(input))) {
+			String line;
+			while ((line = reader.readLine()) != null) {
+				lines.add(line);
+			}
+			return lines;
+		}
+		catch (IOException ex) {
+			throw new RuntimeException("Failed to read lines from input '" + input + "'");
+		}
+	}
+
 }