Extract shared resource handling utility methods
Closes: gh-33574
This commit is contained in:
parent
df5489b81a
commit
c6fa180602
|
@ -18,20 +18,14 @@ package org.springframework.web.reactive.function.server;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.UncheckedIOException;
|
import java.io.UncheckedIOException;
|
||||||
import java.net.URLDecoder;
|
|
||||||
import java.nio.charset.StandardCharsets;
|
|
||||||
import java.util.function.Function;
|
import java.util.function.Function;
|
||||||
|
|
||||||
import reactor.core.publisher.Mono;
|
import reactor.core.publisher.Mono;
|
||||||
|
|
||||||
import org.springframework.core.io.ClassPathResource;
|
|
||||||
import org.springframework.core.io.Resource;
|
import org.springframework.core.io.Resource;
|
||||||
import org.springframework.core.io.UrlResource;
|
|
||||||
import org.springframework.http.server.PathContainer;
|
import org.springframework.http.server.PathContainer;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.util.ResourceUtils;
|
import org.springframework.web.reactive.resource.ResourceHandlerUtils;
|
||||||
import org.springframework.util.StringUtils;
|
|
||||||
import org.springframework.web.util.UriUtils;
|
|
||||||
import org.springframework.web.util.pattern.PathPattern;
|
import org.springframework.web.util.pattern.PathPattern;
|
||||||
import org.springframework.web.util.pattern.PathPatternParser;
|
import org.springframework.web.util.pattern.PathPatternParser;
|
||||||
|
|
||||||
|
@ -64,21 +58,14 @@ class PathResourceLookupFunction implements Function<ServerRequest, Mono<Resourc
|
||||||
}
|
}
|
||||||
|
|
||||||
pathContainer = this.pattern.extractPathWithinPattern(pathContainer);
|
pathContainer = this.pattern.extractPathWithinPattern(pathContainer);
|
||||||
String path = processPath(pathContainer.value());
|
String path = ResourceHandlerUtils.normalizeInputPath(pathContainer.value());
|
||||||
if (!StringUtils.hasText(path) || isInvalidPath(path)) {
|
if (ResourceHandlerUtils.shouldIgnoreInputPath(path)) {
|
||||||
return Mono.empty();
|
return Mono.empty();
|
||||||
}
|
}
|
||||||
if (isInvalidEncodedInputPath(path)) {
|
|
||||||
return Mono.empty();
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!(this.location instanceof UrlResource)) {
|
|
||||||
path = UriUtils.decode(path, StandardCharsets.UTF_8);
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Resource resource = this.location.createRelative(path);
|
Resource resource = ResourceHandlerUtils.createRelativeResource(this.location, path);
|
||||||
if (resource.isReadable() && isResourceUnderLocation(resource)) {
|
if (resource.isReadable() && ResourceHandlerUtils.isResourceUnderLocation(this.location, resource)) {
|
||||||
return Mono.just(resource);
|
return Mono.just(resource);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
@ -90,147 +77,6 @@ class PathResourceLookupFunction implements Function<ServerRequest, Mono<Resourc
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Process the given resource path.
|
|
||||||
* <p>The default implementation replaces:
|
|
||||||
* <ul>
|
|
||||||
* <li>Backslash with forward slash.
|
|
||||||
* <li>Duplicate occurrences of slash with a single slash.
|
|
||||||
* <li>Any combination of leading slash and control characters (00-1F and 7F)
|
|
||||||
* with a single "/" or "". For example {@code " / // foo/bar"}
|
|
||||||
* becomes {@code "/foo/bar"}.
|
|
||||||
* </ul>
|
|
||||||
*/
|
|
||||||
protected String processPath(String path) {
|
|
||||||
path = StringUtils.replace(path, "\\", "/");
|
|
||||||
path = cleanDuplicateSlashes(path);
|
|
||||||
return cleanLeadingSlash(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
private String cleanDuplicateSlashes(String path) {
|
|
||||||
StringBuilder sb = null;
|
|
||||||
char prev = 0;
|
|
||||||
for (int i = 0; i < path.length(); i++) {
|
|
||||||
char curr = path.charAt(i);
|
|
||||||
try {
|
|
||||||
if (curr == '/' && prev == '/') {
|
|
||||||
if (sb == null) {
|
|
||||||
sb = new StringBuilder(path.substring(0, i));
|
|
||||||
}
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if (sb != null) {
|
|
||||||
sb.append(path.charAt(i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
finally {
|
|
||||||
prev = curr;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (sb != null ? sb.toString() : path);
|
|
||||||
}
|
|
||||||
|
|
||||||
private String cleanLeadingSlash(String path) {
|
|
||||||
boolean slash = false;
|
|
||||||
for (int i = 0; i < path.length(); i++) {
|
|
||||||
if (path.charAt(i) == '/') {
|
|
||||||
slash = true;
|
|
||||||
}
|
|
||||||
else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
|
|
||||||
if (i == 0 || (i == 1 && slash)) {
|
|
||||||
return path;
|
|
||||||
}
|
|
||||||
return (slash ? "/" + path.substring(i) : path.substring(i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (slash ? "/" : "");
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isInvalidPath(String path) {
|
|
||||||
if (path.contains("WEB-INF") || path.contains("META-INF")) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
if (path.contains(":/")) {
|
|
||||||
String relativePath = (path.charAt(0) == '/' ? path.substring(1) : path);
|
|
||||||
if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith("url:")) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Check whether the given path contains invalid escape sequences.
|
|
||||||
* @param path the path to validate
|
|
||||||
* @return {@code true} if the path is invalid, {@code false} otherwise
|
|
||||||
*/
|
|
||||||
private boolean isInvalidEncodedInputPath(String path) {
|
|
||||||
if (path.contains("%")) {
|
|
||||||
try {
|
|
||||||
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
|
|
||||||
String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
|
|
||||||
if (isInvalidPath(decodedPath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
decodedPath = processPath(decodedPath);
|
|
||||||
if (isInvalidPath(decodedPath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
catch (IllegalArgumentException ex) {
|
|
||||||
// May not be possible to decode...
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isResourceUnderLocation(Resource resource) throws IOException {
|
|
||||||
if (resource.getClass() != this.location.getClass()) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
String resourcePath;
|
|
||||||
String locationPath;
|
|
||||||
|
|
||||||
if (resource instanceof UrlResource) {
|
|
||||||
resourcePath = resource.getURL().toExternalForm();
|
|
||||||
locationPath = StringUtils.cleanPath(this.location.getURL().toString());
|
|
||||||
}
|
|
||||||
else if (resource instanceof ClassPathResource classPathResource) {
|
|
||||||
resourcePath = classPathResource.getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(((ClassPathResource) this.location).getPath());
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
resourcePath = resource.getURL().getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(this.location.getURL().getPath());
|
|
||||||
}
|
|
||||||
|
|
||||||
if (locationPath.equals(resourcePath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
locationPath = (locationPath.endsWith("/") || locationPath.isEmpty() ? locationPath : locationPath + "/");
|
|
||||||
return (resourcePath.startsWith(locationPath) && !isInvalidEncodedResourcePath(resourcePath));
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isInvalidEncodedResourcePath(String resourcePath) {
|
|
||||||
if (resourcePath.contains("%")) {
|
|
||||||
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
|
|
||||||
try {
|
|
||||||
String decodedPath = URLDecoder.decode(resourcePath, StandardCharsets.UTF_8);
|
|
||||||
if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
catch (IllegalArgumentException ex) {
|
|
||||||
// May not be possible to decode...
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return this.pattern + " -> " + this.location;
|
return this.pattern + " -> " + this.location;
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2002-2023 the original author or authors.
|
* Copyright 2002-2024 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -17,22 +17,17 @@
|
||||||
package org.springframework.web.reactive.resource;
|
package org.springframework.web.reactive.resource;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.URLDecoder;
|
|
||||||
import java.nio.charset.StandardCharsets;
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import reactor.core.publisher.Flux;
|
import reactor.core.publisher.Flux;
|
||||||
import reactor.core.publisher.Mono;
|
import reactor.core.publisher.Mono;
|
||||||
|
|
||||||
import org.springframework.core.io.ClassPathResource;
|
|
||||||
import org.springframework.core.io.Resource;
|
import org.springframework.core.io.Resource;
|
||||||
import org.springframework.core.io.UrlResource;
|
|
||||||
import org.springframework.core.log.LogFormatUtils;
|
import org.springframework.core.log.LogFormatUtils;
|
||||||
import org.springframework.lang.Nullable;
|
import org.springframework.lang.Nullable;
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
import org.springframework.web.server.ServerWebExchange;
|
import org.springframework.web.server.ServerWebExchange;
|
||||||
import org.springframework.web.util.UriUtils;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A simple {@code ResourceResolver} that tries to find a resource under the given
|
* A simple {@code ResourceResolver} that tries to find a resource under the given
|
||||||
|
@ -111,10 +106,7 @@ public class PathResourceResolver extends AbstractResourceResolver {
|
||||||
*/
|
*/
|
||||||
protected Mono<Resource> getResource(String resourcePath, Resource location) {
|
protected Mono<Resource> getResource(String resourcePath, Resource location) {
|
||||||
try {
|
try {
|
||||||
if (!(location instanceof UrlResource)) {
|
Resource resource = ResourceHandlerUtils.createRelativeResource(location, resourcePath);
|
||||||
resourcePath = UriUtils.decode(resourcePath, StandardCharsets.UTF_8);
|
|
||||||
}
|
|
||||||
Resource resource = location.createRelative(resourcePath);
|
|
||||||
if (resource.isReadable()) {
|
if (resource.isReadable()) {
|
||||||
if (checkResource(resource, location)) {
|
if (checkResource(resource, location)) {
|
||||||
return Mono.just(resource);
|
return Mono.just(resource);
|
||||||
|
@ -154,12 +146,12 @@ public class PathResourceResolver extends AbstractResourceResolver {
|
||||||
* @return "true" if resource is in a valid location, "false" otherwise
|
* @return "true" if resource is in a valid location, "false" otherwise
|
||||||
*/
|
*/
|
||||||
protected boolean checkResource(Resource resource, Resource location) throws IOException {
|
protected boolean checkResource(Resource resource, Resource location) throws IOException {
|
||||||
if (isResourceUnderLocation(resource, location)) {
|
if (ResourceHandlerUtils.isResourceUnderLocation(location, resource)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
if (getAllowedLocations() != null) {
|
if (getAllowedLocations() != null) {
|
||||||
for (Resource current : getAllowedLocations()) {
|
for (Resource current : getAllowedLocations()) {
|
||||||
if (isResourceUnderLocation(resource, current)) {
|
if (ResourceHandlerUtils.isResourceUnderLocation(current, resource)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -167,50 +159,4 @@ public class PathResourceResolver extends AbstractResourceResolver {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean isResourceUnderLocation(Resource resource, Resource location) throws IOException {
|
|
||||||
if (resource.getClass() != location.getClass()) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
String resourcePath;
|
|
||||||
String locationPath;
|
|
||||||
|
|
||||||
if (resource instanceof UrlResource) {
|
|
||||||
resourcePath = resource.getURL().toExternalForm();
|
|
||||||
locationPath = StringUtils.cleanPath(location.getURL().toString());
|
|
||||||
}
|
|
||||||
else if (resource instanceof ClassPathResource classPathResource) {
|
|
||||||
resourcePath = classPathResource.getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(((ClassPathResource) location).getPath());
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
resourcePath = resource.getURL().getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(location.getURL().getPath());
|
|
||||||
}
|
|
||||||
|
|
||||||
if (locationPath.equals(resourcePath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
locationPath = (locationPath.endsWith("/") || locationPath.isEmpty() ? locationPath : locationPath + "/");
|
|
||||||
return (resourcePath.startsWith(locationPath) && !isInvalidEncodedPath(resourcePath));
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isInvalidEncodedPath(String resourcePath) {
|
|
||||||
if (resourcePath.contains("%")) {
|
|
||||||
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
|
|
||||||
try {
|
|
||||||
String decodedPath = URLDecoder.decode(resourcePath, StandardCharsets.UTF_8);
|
|
||||||
if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
|
|
||||||
logger.warn(LogFormatUtils.formatValue(
|
|
||||||
"Resolved resource path contains encoded \"../\" or \"..\\\": " + resourcePath, -1, true));
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
catch (IllegalArgumentException ex) {
|
|
||||||
// May not be possible to decode...
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,231 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2002-2024 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.springframework.web.reactive.resource;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URLDecoder;
|
||||||
|
import java.nio.charset.StandardCharsets;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
import org.springframework.core.io.ClassPathResource;
|
||||||
|
import org.springframework.core.io.Resource;
|
||||||
|
import org.springframework.core.io.UrlResource;
|
||||||
|
import org.springframework.core.log.LogFormatUtils;
|
||||||
|
import org.springframework.util.ResourceUtils;
|
||||||
|
import org.springframework.util.StringUtils;
|
||||||
|
import org.springframework.web.util.UriUtils;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Resource handling utility methods to share common logic between
|
||||||
|
* {@link ResourceWebHandler} and {@link org.springframework.web.reactive.function.server}.
|
||||||
|
*
|
||||||
|
* @author Rossen Stoyanchev
|
||||||
|
* @since 6.2
|
||||||
|
*/
|
||||||
|
public abstract class ResourceHandlerUtils {
|
||||||
|
|
||||||
|
private static final Log logger = LogFactory.getLog(ResourceHandlerUtils.class);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Normalize the given resource path replacing the following:
|
||||||
|
* <ul>
|
||||||
|
* <li>Backslash with forward slash.
|
||||||
|
* <li>Duplicate occurrences of slash with a single slash.
|
||||||
|
* <li>Any combination of leading slash and control characters (00-1F and 7F)
|
||||||
|
* with a single "/" or "". For example {@code " / // foo/bar"}
|
||||||
|
* becomes {@code "/foo/bar"}.
|
||||||
|
* </ul>
|
||||||
|
*/
|
||||||
|
public static String normalizeInputPath(String path) {
|
||||||
|
path = StringUtils.replace(path, "\\", "/");
|
||||||
|
path = cleanDuplicateSlashes(path);
|
||||||
|
return cleanLeadingSlash(path);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String cleanDuplicateSlashes(String path) {
|
||||||
|
StringBuilder sb = null;
|
||||||
|
char prev = 0;
|
||||||
|
for (int i = 0; i < path.length(); i++) {
|
||||||
|
char curr = path.charAt(i);
|
||||||
|
try {
|
||||||
|
if (curr == '/' && prev == '/') {
|
||||||
|
if (sb == null) {
|
||||||
|
sb = new StringBuilder(path.substring(0, i));
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if (sb != null) {
|
||||||
|
sb.append(path.charAt(i));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
finally {
|
||||||
|
prev = curr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (sb != null ? sb.toString() : path);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String cleanLeadingSlash(String path) {
|
||||||
|
boolean slash = false;
|
||||||
|
for (int i = 0; i < path.length(); i++) {
|
||||||
|
if (path.charAt(i) == '/') {
|
||||||
|
slash = true;
|
||||||
|
}
|
||||||
|
else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
|
||||||
|
if (i == 0 || (i == 1 && slash)) {
|
||||||
|
return path;
|
||||||
|
}
|
||||||
|
return (slash ? "/" + path.substring(i) : path.substring(i));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (slash ? "/" : "");
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether the given input path is invalid as determined by
|
||||||
|
* {@link #isInvalidPath(String)}. The path is also decoded and the same
|
||||||
|
* checks are performed again.
|
||||||
|
*/
|
||||||
|
public static boolean shouldIgnoreInputPath(String path) {
|
||||||
|
return (!StringUtils.hasText(path) || isInvalidPath(path) || isInvalidEncodedPath(path));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks for invalid resource input paths rejecting the following:
|
||||||
|
* <ul>
|
||||||
|
* <li>Paths that contain "WEB-INF" or "META-INF"
|
||||||
|
* <li>Paths that contain "../" after a call to
|
||||||
|
* {@link StringUtils#cleanPath}.
|
||||||
|
* <li>Paths that represent a {@link ResourceUtils#isUrl
|
||||||
|
* valid URL} or would represent one after the leading slash is removed.
|
||||||
|
* </ul>
|
||||||
|
* <p><strong>Note:</strong> this method assumes that leading, duplicate '/'
|
||||||
|
* or control characters (e.g. white space) have been trimmed so that the
|
||||||
|
* path starts predictably with a single '/' or does not have one.
|
||||||
|
* @param path the path to validate
|
||||||
|
* @return {@code true} if the path is invalid, {@code false} otherwise
|
||||||
|
*/
|
||||||
|
public static boolean isInvalidPath(String path) {
|
||||||
|
if (path.contains("WEB-INF") || path.contains("META-INF")) {
|
||||||
|
if (logger.isWarnEnabled()) {
|
||||||
|
logger.warn(LogFormatUtils.formatValue(
|
||||||
|
"Path with \"WEB-INF\" or \"META-INF\": [" + path + "]", -1, true));
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (path.contains(":/")) {
|
||||||
|
String relativePath = (path.charAt(0) == '/' ? path.substring(1) : path);
|
||||||
|
if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith("url:")) {
|
||||||
|
if (logger.isWarnEnabled()) {
|
||||||
|
logger.warn(LogFormatUtils.formatValue(
|
||||||
|
"Path represents URL or has \"url:\" prefix: [" + path + "]", -1, true));
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
|
||||||
|
if (logger.isWarnEnabled()) {
|
||||||
|
logger.warn(LogFormatUtils.formatValue(
|
||||||
|
"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static boolean isInvalidEncodedPath(String path) {
|
||||||
|
if (path.contains("%")) {
|
||||||
|
try {
|
||||||
|
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
|
||||||
|
String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
|
||||||
|
if (isInvalidPath(decodedPath)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
decodedPath = normalizeInputPath(decodedPath);
|
||||||
|
if (isInvalidPath(decodedPath)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (IllegalArgumentException ex) {
|
||||||
|
// May not be possible to decode...
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a resource relative to the given {@link Resource}, also decoding
|
||||||
|
* the resource path for a {@link UrlResource}.
|
||||||
|
*/
|
||||||
|
public static Resource createRelativeResource(Resource location, String resourcePath) throws IOException {
|
||||||
|
if (!(location instanceof UrlResource)) {
|
||||||
|
resourcePath = UriUtils.decode(resourcePath, StandardCharsets.UTF_8);
|
||||||
|
}
|
||||||
|
return location.createRelative(resourcePath);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check whether the resource is under the given location.
|
||||||
|
*/
|
||||||
|
public static boolean isResourceUnderLocation(Resource location, Resource resource) throws IOException {
|
||||||
|
if (resource.getClass() != location.getClass()) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
String resourcePath;
|
||||||
|
String locationPath;
|
||||||
|
|
||||||
|
if (resource instanceof UrlResource) {
|
||||||
|
resourcePath = resource.getURL().toExternalForm();
|
||||||
|
locationPath = StringUtils.cleanPath(location.getURL().toString());
|
||||||
|
}
|
||||||
|
else if (resource instanceof ClassPathResource classPathResource) {
|
||||||
|
resourcePath = classPathResource.getPath();
|
||||||
|
locationPath = StringUtils.cleanPath(((ClassPathResource) location).getPath());
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
resourcePath = resource.getURL().getPath();
|
||||||
|
locationPath = StringUtils.cleanPath(location.getURL().getPath());
|
||||||
|
}
|
||||||
|
|
||||||
|
if (locationPath.equals(resourcePath)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
locationPath = (locationPath.endsWith("/") || locationPath.isEmpty() ? locationPath : locationPath + "/");
|
||||||
|
return (resourcePath.startsWith(locationPath) && !isInvalidEncodedResourcePath(resourcePath));
|
||||||
|
}
|
||||||
|
|
||||||
|
private static boolean isInvalidEncodedResourcePath(String resourcePath) {
|
||||||
|
if (resourcePath.contains("%")) {
|
||||||
|
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
|
||||||
|
try {
|
||||||
|
String decodedPath = URLDecoder.decode(resourcePath, StandardCharsets.UTF_8);
|
||||||
|
if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (IllegalArgumentException ex) {
|
||||||
|
// May not be possible to decode...
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2002-2023 the original author or authors.
|
* Copyright 2002-2024 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -17,8 +17,6 @@
|
||||||
package org.springframework.web.reactive.resource;
|
package org.springframework.web.reactive.resource;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.URLDecoder;
|
|
||||||
import java.nio.charset.StandardCharsets;
|
|
||||||
import java.time.Instant;
|
import java.time.Instant;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
@ -38,7 +36,6 @@ import org.springframework.core.ResolvableType;
|
||||||
import org.springframework.core.codec.Hints;
|
import org.springframework.core.codec.Hints;
|
||||||
import org.springframework.core.io.Resource;
|
import org.springframework.core.io.Resource;
|
||||||
import org.springframework.core.io.ResourceLoader;
|
import org.springframework.core.io.ResourceLoader;
|
||||||
import org.springframework.core.log.LogFormatUtils;
|
|
||||||
import org.springframework.http.CacheControl;
|
import org.springframework.http.CacheControl;
|
||||||
import org.springframework.http.HttpHeaders;
|
import org.springframework.http.HttpHeaders;
|
||||||
import org.springframework.http.HttpMethod;
|
import org.springframework.http.HttpMethod;
|
||||||
|
@ -50,7 +47,6 @@ import org.springframework.lang.Nullable;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.util.CollectionUtils;
|
import org.springframework.util.CollectionUtils;
|
||||||
import org.springframework.util.ObjectUtils;
|
import org.springframework.util.ObjectUtils;
|
||||||
import org.springframework.util.ResourceUtils;
|
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
import org.springframework.web.reactive.HandlerMapping;
|
import org.springframework.web.reactive.HandlerMapping;
|
||||||
import org.springframework.web.server.MethodNotAllowedException;
|
import org.springframework.web.server.MethodNotAllowedException;
|
||||||
|
@ -488,10 +484,7 @@ public class ResourceWebHandler implements WebHandler, InitializingBean {
|
||||||
protected Mono<Resource> getResource(ServerWebExchange exchange) {
|
protected Mono<Resource> getResource(ServerWebExchange exchange) {
|
||||||
String rawPath = getResourcePath(exchange);
|
String rawPath = getResourcePath(exchange);
|
||||||
String path = processPath(rawPath);
|
String path = processPath(rawPath);
|
||||||
if (!StringUtils.hasText(path) || isInvalidPath(path)) {
|
if (ResourceHandlerUtils.shouldIgnoreInputPath(path) || isInvalidPath(path)) {
|
||||||
return Mono.empty();
|
|
||||||
}
|
|
||||||
if (isInvalidEncodedPath(path)) {
|
|
||||||
return Mono.empty();
|
return Mono.empty();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -513,125 +506,18 @@ public class ResourceWebHandler implements WebHandler, InitializingBean {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Process the given resource path.
|
* Process the given resource path.
|
||||||
* <p>The default implementation replaces:
|
* <p>By default, this method delegates to {@link ResourceHandlerUtils#normalizeInputPath}.
|
||||||
* <ul>
|
|
||||||
* <li>Backslash with forward slash.
|
|
||||||
* <li>Duplicate occurrences of slash with a single slash.
|
|
||||||
* <li>Any combination of leading slash and control characters (00-1F and 7F)
|
|
||||||
* with a single "/" or "". For example {@code " / // foo/bar"}
|
|
||||||
* becomes {@code "/foo/bar"}.
|
|
||||||
* </ul>
|
|
||||||
*/
|
*/
|
||||||
protected String processPath(String path) {
|
protected String processPath(String path) {
|
||||||
path = StringUtils.replace(path, "\\", "/");
|
return ResourceHandlerUtils.normalizeInputPath(path);
|
||||||
path = cleanDuplicateSlashes(path);
|
|
||||||
return cleanLeadingSlash(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
private String cleanDuplicateSlashes(String path) {
|
|
||||||
StringBuilder sb = null;
|
|
||||||
char prev = 0;
|
|
||||||
for (int i = 0; i < path.length(); i++) {
|
|
||||||
char curr = path.charAt(i);
|
|
||||||
try {
|
|
||||||
if (curr == '/' && prev == '/') {
|
|
||||||
if (sb == null) {
|
|
||||||
sb = new StringBuilder(path.substring(0, i));
|
|
||||||
}
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if (sb != null) {
|
|
||||||
sb.append(path.charAt(i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
finally {
|
|
||||||
prev = curr;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (sb != null ? sb.toString() : path);
|
|
||||||
}
|
|
||||||
|
|
||||||
private String cleanLeadingSlash(String path) {
|
|
||||||
boolean slash = false;
|
|
||||||
for (int i = 0; i < path.length(); i++) {
|
|
||||||
if (path.charAt(i) == '/') {
|
|
||||||
slash = true;
|
|
||||||
}
|
|
||||||
else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
|
|
||||||
if (i == 0 || (i == 1 && slash)) {
|
|
||||||
return path;
|
|
||||||
}
|
|
||||||
return (slash ? "/" + path.substring(i) : path.substring(i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (slash ? "/" : "");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check whether the given path contains invalid escape sequences.
|
* Invoked after {@link ResourceHandlerUtils#isInvalidPath(String)}
|
||||||
* @param path the path to validate
|
* to allow subclasses to perform further validation.
|
||||||
* @return {@code true} if the path is invalid, {@code false} otherwise
|
* <p>By default, this method does not perform any validations.
|
||||||
*/
|
|
||||||
private boolean isInvalidEncodedPath(String path) {
|
|
||||||
if (path.contains("%")) {
|
|
||||||
try {
|
|
||||||
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
|
|
||||||
String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
|
|
||||||
if (isInvalidPath(decodedPath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
decodedPath = processPath(decodedPath);
|
|
||||||
if (isInvalidPath(decodedPath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
catch (IllegalArgumentException ex) {
|
|
||||||
// May not be possible to decode...
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Identifies invalid resource paths. By default rejects:
|
|
||||||
* <ul>
|
|
||||||
* <li>Paths that contain "WEB-INF" or "META-INF"
|
|
||||||
* <li>Paths that contain "../" after a call to
|
|
||||||
* {@link StringUtils#cleanPath}.
|
|
||||||
* <li>Paths that represent a {@link ResourceUtils#isUrl
|
|
||||||
* valid URL} or would represent one after the leading slash is removed.
|
|
||||||
* </ul>
|
|
||||||
* <p><strong>Note:</strong> this method assumes that leading, duplicate '/'
|
|
||||||
* or control characters (e.g. white space) have been trimmed so that the
|
|
||||||
* path starts predictably with a single '/' or does not have one.
|
|
||||||
* @param path the path to validate
|
|
||||||
* @return {@code true} if the path is invalid, {@code false} otherwise
|
|
||||||
*/
|
*/
|
||||||
protected boolean isInvalidPath(String path) {
|
protected boolean isInvalidPath(String path) {
|
||||||
if (path.contains("WEB-INF") || path.contains("META-INF")) {
|
|
||||||
if (logger.isWarnEnabled()) {
|
|
||||||
logger.warn(LogFormatUtils.formatValue(
|
|
||||||
"Path with \"WEB-INF\" or \"META-INF\": [" + path + "]", -1, true));
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
if (path.contains(":/")) {
|
|
||||||
String relativePath = (path.charAt(0) == '/' ? path.substring(1) : path);
|
|
||||||
if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith("url:")) {
|
|
||||||
if (logger.isWarnEnabled()) {
|
|
||||||
logger.warn(LogFormatUtils.formatValue(
|
|
||||||
"Path represents URL or has \"url:\" prefix: [" + path + "]", -1, true));
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
|
|
||||||
if (logger.isWarnEnabled()) {
|
|
||||||
logger.warn(LogFormatUtils.formatValue(
|
|
||||||
"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2002-2023 the original author or authors.
|
* Copyright 2002-2024 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -18,19 +18,15 @@ package org.springframework.web.servlet.function;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.UncheckedIOException;
|
import java.io.UncheckedIOException;
|
||||||
import java.net.URLDecoder;
|
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
import java.util.Optional;
|
import java.util.Optional;
|
||||||
import java.util.function.Function;
|
import java.util.function.Function;
|
||||||
|
|
||||||
import org.springframework.core.io.ClassPathResource;
|
|
||||||
import org.springframework.core.io.Resource;
|
import org.springframework.core.io.Resource;
|
||||||
import org.springframework.core.io.UrlResource;
|
import org.springframework.core.io.UrlResource;
|
||||||
import org.springframework.http.server.PathContainer;
|
import org.springframework.http.server.PathContainer;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.util.ResourceUtils;
|
import org.springframework.web.servlet.resource.ResourceHandlerUtils;
|
||||||
import org.springframework.util.StringUtils;
|
|
||||||
import org.springframework.web.context.support.ServletContextResource;
|
|
||||||
import org.springframework.web.util.UriUtils;
|
import org.springframework.web.util.UriUtils;
|
||||||
import org.springframework.web.util.pattern.PathPattern;
|
import org.springframework.web.util.pattern.PathPattern;
|
||||||
import org.springframework.web.util.pattern.PathPatternParser;
|
import org.springframework.web.util.pattern.PathPatternParser;
|
||||||
|
@ -66,10 +62,7 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
|
||||||
|
|
||||||
pathContainer = this.pattern.extractPathWithinPattern(pathContainer);
|
pathContainer = this.pattern.extractPathWithinPattern(pathContainer);
|
||||||
String path = processPath(pathContainer.value());
|
String path = processPath(pathContainer.value());
|
||||||
if (!StringUtils.hasText(path) || isInvalidPath(path)) {
|
if (ResourceHandlerUtils.shouldIgnoreInputPath(path)) {
|
||||||
return Optional.empty();
|
|
||||||
}
|
|
||||||
if (isInvalidEncodedInputPath(path)) {
|
|
||||||
return Optional.empty();
|
return Optional.empty();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -79,7 +72,7 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Resource resource = this.location.createRelative(path);
|
Resource resource = this.location.createRelative(path);
|
||||||
if (resource.isReadable() && isResourceUnderLocation(resource)) {
|
if (resource.isReadable() && ResourceHandlerUtils.isResourceUnderLocation(this.location, resource)) {
|
||||||
return Optional.of(resource);
|
return Optional.of(resource);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
@ -93,139 +86,10 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Process the given resource path.
|
* Process the given resource path.
|
||||||
* <p>The default implementation replaces:
|
* <p>By default, this method delegates to {@link ResourceHandlerUtils#normalizeInputPath}.
|
||||||
* <ul>
|
|
||||||
* <li>Backslash with forward slash.
|
|
||||||
* <li>Duplicate occurrences of slash with a single slash.
|
|
||||||
* <li>Any combination of leading slash and control characters (00-1F and 7F)
|
|
||||||
* with a single "/" or "". For example {@code " / // foo/bar"}
|
|
||||||
* becomes {@code "/foo/bar"}.
|
|
||||||
* </ul>
|
|
||||||
*/
|
*/
|
||||||
protected String processPath(String path) {
|
protected String processPath(String path) {
|
||||||
path = StringUtils.replace(path, "\\", "/");
|
return ResourceHandlerUtils.normalizeInputPath(path);
|
||||||
path = cleanDuplicateSlashes(path);
|
|
||||||
return cleanLeadingSlash(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
private String cleanDuplicateSlashes(String path) {
|
|
||||||
StringBuilder sb = null;
|
|
||||||
char prev = 0;
|
|
||||||
for (int i = 0; i < path.length(); i++) {
|
|
||||||
char curr = path.charAt(i);
|
|
||||||
try {
|
|
||||||
if ((curr == '/') && (prev == '/')) {
|
|
||||||
if (sb == null) {
|
|
||||||
sb = new StringBuilder(path.substring(0, i));
|
|
||||||
}
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if (sb != null) {
|
|
||||||
sb.append(path.charAt(i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
finally {
|
|
||||||
prev = curr;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return sb != null ? sb.toString() : path;
|
|
||||||
}
|
|
||||||
|
|
||||||
private String cleanLeadingSlash(String path) {
|
|
||||||
boolean slash = false;
|
|
||||||
for (int i = 0; i < path.length(); i++) {
|
|
||||||
if (path.charAt(i) == '/') {
|
|
||||||
slash = true;
|
|
||||||
}
|
|
||||||
else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
|
|
||||||
if (i == 0 || (i == 1 && slash)) {
|
|
||||||
return path;
|
|
||||||
}
|
|
||||||
return (slash ? "/" + path.substring(i) : path.substring(i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (slash ? "/" : "");
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isInvalidPath(String path) {
|
|
||||||
if (path.contains("WEB-INF") || path.contains("META-INF")) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
if (path.contains(":/")) {
|
|
||||||
String relativePath = (path.charAt(0) == '/' ? path.substring(1) : path);
|
|
||||||
if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith("url:")) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return path.contains("..") && StringUtils.cleanPath(path).contains("../");
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isInvalidEncodedInputPath(String path) {
|
|
||||||
if (path.contains("%")) {
|
|
||||||
try {
|
|
||||||
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
|
|
||||||
String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
|
|
||||||
if (isInvalidPath(decodedPath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
decodedPath = processPath(decodedPath);
|
|
||||||
if (isInvalidPath(decodedPath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
catch (IllegalArgumentException ex) {
|
|
||||||
// May not be possible to decode...
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isResourceUnderLocation(Resource resource) throws IOException {
|
|
||||||
if (resource.getClass() != this.location.getClass()) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
String resourcePath;
|
|
||||||
String locationPath;
|
|
||||||
|
|
||||||
if (resource instanceof UrlResource) {
|
|
||||||
resourcePath = resource.getURL().toExternalForm();
|
|
||||||
locationPath = StringUtils.cleanPath(this.location.getURL().toString());
|
|
||||||
}
|
|
||||||
else if (resource instanceof ClassPathResource classPathResource) {
|
|
||||||
resourcePath = classPathResource.getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(((ClassPathResource) this.location).getPath());
|
|
||||||
}
|
|
||||||
else if (resource instanceof ServletContextResource servletContextResource) {
|
|
||||||
resourcePath = servletContextResource.getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(((ServletContextResource) this.location).getPath());
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
resourcePath = resource.getURL().getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(this.location.getURL().getPath());
|
|
||||||
}
|
|
||||||
|
|
||||||
if (locationPath.equals(resourcePath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
locationPath = (locationPath.endsWith("/") || locationPath.isEmpty() ? locationPath : locationPath + "/");
|
|
||||||
return (resourcePath.startsWith(locationPath) && !isInvalidEncodedResourcePath(resourcePath));
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isInvalidEncodedResourcePath(String resourcePath) {
|
|
||||||
if (resourcePath.contains("%")) {
|
|
||||||
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
|
|
||||||
try {
|
|
||||||
String decodedPath = URLDecoder.decode(resourcePath, StandardCharsets.UTF_8);
|
|
||||||
if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
catch (IllegalArgumentException ex) {
|
|
||||||
// May not be possible to decode...
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2002-2023 the original author or authors.
|
* Copyright 2002-2024 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -17,7 +17,6 @@
|
||||||
package org.springframework.web.servlet.resource;
|
package org.springframework.web.servlet.resource;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.URLDecoder;
|
|
||||||
import java.nio.charset.Charset;
|
import java.nio.charset.Charset;
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
@ -29,14 +28,12 @@ import java.util.StringTokenizer;
|
||||||
|
|
||||||
import jakarta.servlet.http.HttpServletRequest;
|
import jakarta.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
import org.springframework.core.io.ClassPathResource;
|
|
||||||
import org.springframework.core.io.Resource;
|
import org.springframework.core.io.Resource;
|
||||||
import org.springframework.core.io.UrlResource;
|
import org.springframework.core.io.UrlResource;
|
||||||
import org.springframework.core.log.LogFormatUtils;
|
import org.springframework.core.log.LogFormatUtils;
|
||||||
import org.springframework.http.server.PathContainer;
|
import org.springframework.http.server.PathContainer;
|
||||||
import org.springframework.lang.Nullable;
|
import org.springframework.lang.Nullable;
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
import org.springframework.web.context.support.ServletContextResource;
|
|
||||||
import org.springframework.web.util.ServletRequestPathUtils;
|
import org.springframework.web.util.ServletRequestPathUtils;
|
||||||
import org.springframework.web.util.UriUtils;
|
import org.springframework.web.util.UriUtils;
|
||||||
import org.springframework.web.util.UrlPathHelper;
|
import org.springframework.web.util.UrlPathHelper;
|
||||||
|
@ -214,13 +211,13 @@ public class PathResourceResolver extends AbstractResourceResolver {
|
||||||
* @since 4.1.2
|
* @since 4.1.2
|
||||||
*/
|
*/
|
||||||
protected boolean checkResource(Resource resource, Resource location) throws IOException {
|
protected boolean checkResource(Resource resource, Resource location) throws IOException {
|
||||||
if (isResourceUnderLocation(resource, location)) {
|
if (ResourceHandlerUtils.isResourceUnderLocation(location, resource)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
Resource[] allowedLocations = getAllowedLocations();
|
Resource[] allowedLocations = getAllowedLocations();
|
||||||
if (allowedLocations != null) {
|
if (allowedLocations != null) {
|
||||||
for (Resource current : allowedLocations) {
|
for (Resource current : allowedLocations) {
|
||||||
if (isResourceUnderLocation(resource, current)) {
|
if (ResourceHandlerUtils.isResourceUnderLocation(current, resource)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -228,38 +225,6 @@ public class PathResourceResolver extends AbstractResourceResolver {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean isResourceUnderLocation(Resource resource, Resource location) throws IOException {
|
|
||||||
if (resource.getClass() != location.getClass()) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
String resourcePath;
|
|
||||||
String locationPath;
|
|
||||||
|
|
||||||
if (resource instanceof UrlResource) {
|
|
||||||
resourcePath = resource.getURL().toExternalForm();
|
|
||||||
locationPath = StringUtils.cleanPath(location.getURL().toString());
|
|
||||||
}
|
|
||||||
else if (resource instanceof ClassPathResource classPathResource) {
|
|
||||||
resourcePath = classPathResource.getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(((ClassPathResource) location).getPath());
|
|
||||||
}
|
|
||||||
else if (resource instanceof ServletContextResource servletContextResource) {
|
|
||||||
resourcePath = servletContextResource.getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(((ServletContextResource) location).getPath());
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
resourcePath = resource.getURL().getPath();
|
|
||||||
locationPath = StringUtils.cleanPath(location.getURL().getPath());
|
|
||||||
}
|
|
||||||
|
|
||||||
if (locationPath.equals(resourcePath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
locationPath = (locationPath.endsWith("/") || locationPath.isEmpty() ? locationPath : locationPath + "/");
|
|
||||||
return (resourcePath.startsWith(locationPath) && !isInvalidEncodedPath(resourcePath));
|
|
||||||
}
|
|
||||||
|
|
||||||
private String encodeOrDecodeIfNecessary(String path, @Nullable HttpServletRequest request, Resource location) {
|
private String encodeOrDecodeIfNecessary(String path, @Nullable HttpServletRequest request, Resource location) {
|
||||||
if (request != null) {
|
if (request != null) {
|
||||||
boolean usesPathPattern = (
|
boolean usesPathPattern = (
|
||||||
|
@ -305,22 +270,4 @@ public class PathResourceResolver extends AbstractResourceResolver {
|
||||||
this.urlPathHelper != null && this.urlPathHelper.isUrlDecode());
|
this.urlPathHelper != null && this.urlPathHelper.isUrlDecode());
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean isInvalidEncodedPath(String resourcePath) {
|
|
||||||
if (resourcePath.contains("%")) {
|
|
||||||
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
|
|
||||||
try {
|
|
||||||
String decodedPath = URLDecoder.decode(resourcePath, StandardCharsets.UTF_8);
|
|
||||||
if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
|
|
||||||
logger.warn(LogFormatUtils.formatValue(
|
|
||||||
"Resolved resource path contains encoded \"../\" or \"..\\\": " + resourcePath, -1, true));
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
catch (IllegalArgumentException ex) {
|
|
||||||
// May not be possible to decode...
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,231 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2002-2024 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.springframework.web.servlet.resource;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URLDecoder;
|
||||||
|
import java.nio.charset.StandardCharsets;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
import org.springframework.core.io.ClassPathResource;
|
||||||
|
import org.springframework.core.io.Resource;
|
||||||
|
import org.springframework.core.io.UrlResource;
|
||||||
|
import org.springframework.core.log.LogFormatUtils;
|
||||||
|
import org.springframework.util.ResourceUtils;
|
||||||
|
import org.springframework.util.StringUtils;
|
||||||
|
import org.springframework.web.context.support.ServletContextResource;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Resource handling utility methods to share common logic between
|
||||||
|
* {@link ResourceHttpRequestHandler} and {@link org.springframework.web.servlet.function}.
|
||||||
|
*
|
||||||
|
* @author Rossen Stoyanchev
|
||||||
|
* @since 6.2
|
||||||
|
*/
|
||||||
|
public abstract class ResourceHandlerUtils {
|
||||||
|
|
||||||
|
private static final Log logger = LogFactory.getLog(ResourceHandlerUtils.class);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Normalize the given resource path replacing the following:
|
||||||
|
* <ul>
|
||||||
|
* <li>Backslash with forward slash.
|
||||||
|
* <li>Duplicate occurrences of slash with a single slash.
|
||||||
|
* <li>Any combination of leading slash and control characters (00-1F and 7F)
|
||||||
|
* with a single "/" or "". For example {@code " / // foo/bar"}
|
||||||
|
* becomes {@code "/foo/bar"}.
|
||||||
|
* </ul>
|
||||||
|
*/
|
||||||
|
public static String normalizeInputPath(String path) {
|
||||||
|
path = StringUtils.replace(path, "\\", "/");
|
||||||
|
path = cleanDuplicateSlashes(path);
|
||||||
|
return cleanLeadingSlash(path);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String cleanDuplicateSlashes(String path) {
|
||||||
|
StringBuilder sb = null;
|
||||||
|
char prev = 0;
|
||||||
|
for (int i = 0; i < path.length(); i++) {
|
||||||
|
char curr = path.charAt(i);
|
||||||
|
try {
|
||||||
|
if ((curr == '/') && (prev == '/')) {
|
||||||
|
if (sb == null) {
|
||||||
|
sb = new StringBuilder(path.substring(0, i));
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if (sb != null) {
|
||||||
|
sb.append(path.charAt(i));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
finally {
|
||||||
|
prev = curr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (sb != null ? sb.toString() : path);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String cleanLeadingSlash(String path) {
|
||||||
|
boolean slash = false;
|
||||||
|
for (int i = 0; i < path.length(); i++) {
|
||||||
|
if (path.charAt(i) == '/') {
|
||||||
|
slash = true;
|
||||||
|
}
|
||||||
|
else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
|
||||||
|
if (i == 0 || (i == 1 && slash)) {
|
||||||
|
return path;
|
||||||
|
}
|
||||||
|
return (slash ? "/" + path.substring(i) : path.substring(i));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (slash ? "/" : "");
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether the given input path is invalid as determined by
|
||||||
|
* {@link #isInvalidPath(String)}. The path is also decoded and the same
|
||||||
|
* checks are performed again.
|
||||||
|
*/
|
||||||
|
public static boolean shouldIgnoreInputPath(String path) {
|
||||||
|
return (!StringUtils.hasText(path) || isInvalidPath(path) || isInvalidEncodedPath(path));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks for invalid resource input paths rejecting the following:
|
||||||
|
* <ul>
|
||||||
|
* <li>Paths that contain "WEB-INF" or "META-INF"
|
||||||
|
* <li>Paths that contain "../" after a call to
|
||||||
|
* {@link org.springframework.util.StringUtils#cleanPath}.
|
||||||
|
* <li>Paths that represent a {@link org.springframework.util.ResourceUtils#isUrl
|
||||||
|
* valid URL} or would represent one after the leading slash is removed.
|
||||||
|
* </ul>
|
||||||
|
* <p><strong>Note:</strong> this method assumes that leading, duplicate '/'
|
||||||
|
* or control characters (e.g. white space) have been trimmed so that the
|
||||||
|
* path starts predictably with a single '/' or does not have one.
|
||||||
|
* @param path the path to validate
|
||||||
|
* @return {@code true} if the path is invalid, {@code false} otherwise
|
||||||
|
*/
|
||||||
|
public static boolean isInvalidPath(String path) {
|
||||||
|
if (path.contains("WEB-INF") || path.contains("META-INF")) {
|
||||||
|
if (logger.isWarnEnabled()) {
|
||||||
|
logger.warn(LogFormatUtils.formatValue(
|
||||||
|
"Path with \"WEB-INF\" or \"META-INF\": [" + path + "]", -1, true));
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (path.contains(":/")) {
|
||||||
|
String relativePath = (path.charAt(0) == '/' ? path.substring(1) : path);
|
||||||
|
if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith("url:")) {
|
||||||
|
if (logger.isWarnEnabled()) {
|
||||||
|
logger.warn(LogFormatUtils.formatValue(
|
||||||
|
"Path represents URL or has \"url:\" prefix: [" + path + "]", -1, true));
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
|
||||||
|
if (logger.isWarnEnabled()) {
|
||||||
|
logger.warn(LogFormatUtils.formatValue(
|
||||||
|
"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check whether the given path contains invalid escape sequences.
|
||||||
|
* @param path the path to validate
|
||||||
|
* @return {@code true} if the path is invalid, {@code false} otherwise
|
||||||
|
*/
|
||||||
|
private static boolean isInvalidEncodedPath(String path) {
|
||||||
|
if (path.contains("%")) {
|
||||||
|
try {
|
||||||
|
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
|
||||||
|
String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
|
||||||
|
if (isInvalidPath(decodedPath)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
decodedPath = normalizeInputPath(decodedPath);
|
||||||
|
if (isInvalidPath(decodedPath)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (IllegalArgumentException ex) {
|
||||||
|
// May not be possible to decode...
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check whether the resource is under the given location.
|
||||||
|
*/
|
||||||
|
public static boolean isResourceUnderLocation(Resource location, Resource resource) throws IOException {
|
||||||
|
if (resource.getClass() != location.getClass()) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
String resourcePath;
|
||||||
|
String locationPath;
|
||||||
|
|
||||||
|
if (resource instanceof UrlResource) {
|
||||||
|
resourcePath = resource.getURL().toExternalForm();
|
||||||
|
locationPath = StringUtils.cleanPath(location.getURL().toString());
|
||||||
|
}
|
||||||
|
else if (resource instanceof ClassPathResource classPathResource) {
|
||||||
|
resourcePath = classPathResource.getPath();
|
||||||
|
locationPath = StringUtils.cleanPath(((ClassPathResource) location).getPath());
|
||||||
|
}
|
||||||
|
else if (resource instanceof ServletContextResource servletContextResource) {
|
||||||
|
resourcePath = servletContextResource.getPath();
|
||||||
|
locationPath = StringUtils.cleanPath(((ServletContextResource) location).getPath());
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
resourcePath = resource.getURL().getPath();
|
||||||
|
locationPath = StringUtils.cleanPath(location.getURL().getPath());
|
||||||
|
}
|
||||||
|
|
||||||
|
if (locationPath.equals(resourcePath)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
locationPath = (locationPath.endsWith("/") || locationPath.isEmpty() ? locationPath : locationPath + "/");
|
||||||
|
return (resourcePath.startsWith(locationPath) && !isInvalidEncodedResourcePath(resourcePath));
|
||||||
|
}
|
||||||
|
|
||||||
|
private static boolean isInvalidEncodedResourcePath(String resourcePath) {
|
||||||
|
if (resourcePath.contains("%")) {
|
||||||
|
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
|
||||||
|
try {
|
||||||
|
String decodedPath = URLDecoder.decode(resourcePath, StandardCharsets.UTF_8);
|
||||||
|
if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
|
||||||
|
logger.warn(LogFormatUtils.formatValue(
|
||||||
|
"Resolved resource path contains encoded \"../\" or \"..\\\": " + resourcePath, -1, true));
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (IllegalArgumentException ex) {
|
||||||
|
// May not be possible to decode...
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -17,9 +17,7 @@
|
||||||
package org.springframework.web.servlet.resource;
|
package org.springframework.web.servlet.resource;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.URLDecoder;
|
|
||||||
import java.nio.charset.Charset;
|
import java.nio.charset.Charset;
|
||||||
import java.nio.charset.StandardCharsets;
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -38,7 +36,6 @@ import org.springframework.context.ApplicationContext;
|
||||||
import org.springframework.context.EmbeddedValueResolverAware;
|
import org.springframework.context.EmbeddedValueResolverAware;
|
||||||
import org.springframework.core.io.Resource;
|
import org.springframework.core.io.Resource;
|
||||||
import org.springframework.core.io.UrlResource;
|
import org.springframework.core.io.UrlResource;
|
||||||
import org.springframework.core.log.LogFormatUtils;
|
|
||||||
import org.springframework.http.HttpHeaders;
|
import org.springframework.http.HttpHeaders;
|
||||||
import org.springframework.http.HttpMethod;
|
import org.springframework.http.HttpMethod;
|
||||||
import org.springframework.http.HttpRange;
|
import org.springframework.http.HttpRange;
|
||||||
|
@ -52,7 +49,6 @@ import org.springframework.lang.Nullable;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.util.CollectionUtils;
|
import org.springframework.util.CollectionUtils;
|
||||||
import org.springframework.util.ObjectUtils;
|
import org.springframework.util.ObjectUtils;
|
||||||
import org.springframework.util.ResourceUtils;
|
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
import org.springframework.util.StringValueResolver;
|
import org.springframework.util.StringValueResolver;
|
||||||
import org.springframework.web.HttpRequestHandler;
|
import org.springframework.web.HttpRequestHandler;
|
||||||
|
@ -641,10 +637,7 @@ public class ResourceHttpRequestHandler extends WebContentGenerator
|
||||||
protected Resource getResource(HttpServletRequest request) throws IOException {
|
protected Resource getResource(HttpServletRequest request) throws IOException {
|
||||||
String path = getPath(request);
|
String path = getPath(request);
|
||||||
path = processPath(path);
|
path = processPath(path);
|
||||||
if (!StringUtils.hasText(path) || isInvalidPath(path)) {
|
if (ResourceHandlerUtils.shouldIgnoreInputPath(path) || isInvalidPath(path)) {
|
||||||
return null;
|
|
||||||
}
|
|
||||||
if (isInvalidEncodedPath(path)) {
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -669,127 +662,19 @@ public class ResourceHttpRequestHandler extends WebContentGenerator
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Process the given resource path.
|
* Process the given resource path.
|
||||||
* <p>The default implementation replaces:
|
* <p>By default, this method delegates to {@link ResourceHandlerUtils#normalizeInputPath}.
|
||||||
* <ul>
|
|
||||||
* <li>Backslash with forward slash.
|
|
||||||
* <li>Duplicate occurrences of slash with a single slash.
|
|
||||||
* <li>Any combination of leading slash and control characters (00-1F and 7F)
|
|
||||||
* with a single "/" or "". For example {@code " / // foo/bar"}
|
|
||||||
* becomes {@code "/foo/bar"}.
|
|
||||||
* </ul>
|
|
||||||
* @since 3.2.12
|
* @since 3.2.12
|
||||||
*/
|
*/
|
||||||
protected String processPath(String path) {
|
protected String processPath(String path) {
|
||||||
path = StringUtils.replace(path, "\\", "/");
|
return ResourceHandlerUtils.normalizeInputPath(path);
|
||||||
path = cleanDuplicateSlashes(path);
|
|
||||||
return cleanLeadingSlash(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
private String cleanDuplicateSlashes(String path) {
|
|
||||||
StringBuilder sb = null;
|
|
||||||
char prev = 0;
|
|
||||||
for (int i = 0; i < path.length(); i++) {
|
|
||||||
char curr = path.charAt(i);
|
|
||||||
try {
|
|
||||||
if ((curr == '/') && (prev == '/')) {
|
|
||||||
if (sb == null) {
|
|
||||||
sb = new StringBuilder(path.substring(0, i));
|
|
||||||
}
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if (sb != null) {
|
|
||||||
sb.append(path.charAt(i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
finally {
|
|
||||||
prev = curr;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (sb != null ? sb.toString() : path);
|
|
||||||
}
|
|
||||||
|
|
||||||
private String cleanLeadingSlash(String path) {
|
|
||||||
boolean slash = false;
|
|
||||||
for (int i = 0; i < path.length(); i++) {
|
|
||||||
if (path.charAt(i) == '/') {
|
|
||||||
slash = true;
|
|
||||||
}
|
|
||||||
else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
|
|
||||||
if (i == 0 || (i == 1 && slash)) {
|
|
||||||
return path;
|
|
||||||
}
|
|
||||||
return (slash ? "/" + path.substring(i) : path.substring(i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (slash ? "/" : "");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check whether the given path contains invalid escape sequences.
|
* Invoked after {@link ResourceHandlerUtils#isInvalidPath(String)}
|
||||||
* @param path the path to validate
|
* to allow subclasses to perform further validation.
|
||||||
* @return {@code true} if the path is invalid, {@code false} otherwise
|
* <p>By default, this method does not perform any validations.
|
||||||
*/
|
|
||||||
private boolean isInvalidEncodedPath(String path) {
|
|
||||||
if (path.contains("%")) {
|
|
||||||
try {
|
|
||||||
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
|
|
||||||
String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
|
|
||||||
if (isInvalidPath(decodedPath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
decodedPath = processPath(decodedPath);
|
|
||||||
if (isInvalidPath(decodedPath)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
catch (IllegalArgumentException ex) {
|
|
||||||
// May not be possible to decode...
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Identifies invalid resource paths. By default, rejects:
|
|
||||||
* <ul>
|
|
||||||
* <li>Paths that contain "WEB-INF" or "META-INF"
|
|
||||||
* <li>Paths that contain "../" after a call to
|
|
||||||
* {@link org.springframework.util.StringUtils#cleanPath}.
|
|
||||||
* <li>Paths that represent a {@link org.springframework.util.ResourceUtils#isUrl
|
|
||||||
* valid URL} or would represent one after the leading slash is removed.
|
|
||||||
* </ul>
|
|
||||||
* <p><strong>Note:</strong> this method assumes that leading, duplicate '/'
|
|
||||||
* or control characters (e.g. white space) have been trimmed so that the
|
|
||||||
* path starts predictably with a single '/' or does not have one.
|
|
||||||
* @param path the path to validate
|
|
||||||
* @return {@code true} if the path is invalid, {@code false} otherwise
|
|
||||||
* @since 3.0.6
|
|
||||||
*/
|
*/
|
||||||
protected boolean isInvalidPath(String path) {
|
protected boolean isInvalidPath(String path) {
|
||||||
if (path.contains("WEB-INF") || path.contains("META-INF")) {
|
|
||||||
if (logger.isWarnEnabled()) {
|
|
||||||
logger.warn(LogFormatUtils.formatValue(
|
|
||||||
"Path with \"WEB-INF\" or \"META-INF\": [" + path + "]", -1, true));
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
if (path.contains(":/")) {
|
|
||||||
String relativePath = (path.charAt(0) == '/' ? path.substring(1) : path);
|
|
||||||
if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith("url:")) {
|
|
||||||
if (logger.isWarnEnabled()) {
|
|
||||||
logger.warn(LogFormatUtils.formatValue(
|
|
||||||
"Path represents URL or has \"url:\" prefix: [" + path + "]", -1, true));
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
|
|
||||||
if (logger.isWarnEnabled()) {
|
|
||||||
logger.warn(LogFormatUtils.formatValue(
|
|
||||||
"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue