Disallow all extensions in actuator endpoints (except .json)

Along with the recent change in Spring to use content-disposition "inline" (which prevents the download), it also makes sense to limit the extensions allowed by the actuator endpoints. Really there *is* no extension for these endpoints, but since all of them explicitly produce JSON we can add .json for browsers as a convenience in case the app would otherwise choose to send XML. Fixes gh-4402
2015-11-12 09:57:58 +00:00 · 2015-11-12 09:57:58 +00:00 · 8749fc745b
parent 1204559815
commit 8749fc745b
2 changed files with 20 additions and 2 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java
@ -84,6 +84,7 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping {
 		// By default the static resource handler mapping is LOWEST_PRECEDENCE - 1
 		// and the RequestMappingHandlerMapping is 0 (we ideally want to be before both)
 		setOrder(-100);
+		setUseSuffixPatternMatch(false);
 	}

 	@Override
@ -121,7 +122,7 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping {
 		String prefix = StringUtils.hasText(this.prefix) ? this.prefix + path : path;
 		Set<String> defaultPatterns = mapping.getPatternsCondition().getPatterns();
 		if (defaultPatterns.isEmpty()) {
-			return new String[] { prefix };
+			return new String[] { prefix, prefix + ".json" };
 		}
 		List<String> patterns = new ArrayList<String>(defaultPatterns);
 		for (int i = 0; i < patterns.size(); i++) {
@ -142,7 +143,8 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping {

 	private RequestMappingInfo withNewPatterns(RequestMappingInfo mapping,
 			String[] patternStrings) {
-		PatternsRequestCondition patterns = new PatternsRequestCondition(patternStrings);
+		PatternsRequestCondition patterns = new PatternsRequestCondition(patternStrings,
+				null, null, useSuffixPatternMatch(), useTrailingSlashMatch(), null);
 		return new RequestMappingInfo(patterns, mapping.getMethodsCondition(),
 				mapping.getParamsCondition(), mapping.getHeadersCondition(),
 				mapping.getConsumesCondition(), mapping.getProducesCondition(),
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointIntegrationTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointIntegrationTests.java
@ -90,6 +90,22 @@ public class MvcEndpointIntegrationTests {
 		assertIndentedJsonResponse(SpringDataRestConfiguration.class);
 	}

+	@Test
+	public void fileExtensionNotFound() throws Exception {
+		this.context = new AnnotationConfigWebApplicationContext();
+		this.context.register(DefaultConfiguration.class);
+		MockMvc mockMvc = createMockMvc();
+		mockMvc.perform(get("/beans.cmd")).andExpect(status().isNotFound());
+	}
+
+	@Test
+	public void jsonExtensionProvided() throws Exception {
+		this.context = new AnnotationConfigWebApplicationContext();
+		this.context.register(DefaultConfiguration.class);
+		MockMvc mockMvc = createMockMvc();
+		mockMvc.perform(get("/beans.json")).andExpect(status().isOk());
+	}
+
 	@Test
 	public void nonSensitiveEndpointsAreNotSecureByDefault() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();