From 030e9d00125cbd1ad759668f85488aba1019c668 Mon Sep 17 00:00:00 2001 From: Per Wendel Date: Wed, 7 Mar 2018 14:43:02 +0100 Subject: [PATCH] Fix for #981, patch 2 (#988) --- .../spark/resource/ClassPathResource.java | 30 +++++++++++++++---- .../jetty/EmbeddedJettyFactoryTest.java | 26 ++++++++++------ .../staticresources/StaticResources.java | 4 +-- 3 files changed, 44 insertions(+), 16 deletions(-) diff --git a/src/main/java/spark/resource/ClassPathResource.java b/src/main/java/spark/resource/ClassPathResource.java index dd8ba97770..e4b19f522d 100644 --- a/src/main/java/spark/resource/ClassPathResource.java +++ b/src/main/java/spark/resource/ClassPathResource.java @@ -23,6 +23,7 @@ import spark.utils.Assert; import spark.utils.ClassUtils; +import spark.utils.ResourceUtils; import spark.utils.StringUtils; /** @@ -74,7 +75,7 @@ public ClassPathResource(String path) { */ public ClassPathResource(String path, ClassLoader classLoader) { Assert.notNull(path, "Path must not be null"); - Assert.state(doesNotContainFileColon(path), "Path must not contain 'file:'"); + Assert.isTrue(isValid(path), "Path is not valid"); String pathToUse = StringUtils.cleanPath(path); @@ -86,8 +87,27 @@ public ClassPathResource(String path, ClassLoader classLoader) { this.classLoader = (classLoader != null ? classLoader : ClassUtils.getDefaultClassLoader()); } - private static boolean doesNotContainFileColon(String path) { - return !path.contains("file:"); + private static boolean isValid(final String path) { + return !isInvalidPath(path); + } + + private static boolean isInvalidPath(String path) { + if (path.contains("WEB-INF") || path.contains("META-INF")) { + return true; + } + if (path.contains(":/")) { + String relativePath = (path.charAt(0) == '/' ? path.substring(1) : path); + if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith("url:")) { + return true; + } + } + if (path.contains("")) { + path = StringUtils.cleanPath(path); + if (path.contains("../")) { + return true; + } + } + return false; } /** @@ -236,8 +256,8 @@ public boolean equals(Object obj) { ClassLoader otherLoader = otherRes.classLoader; return (this.path.equals(otherRes.path) && - thisLoader.equals(otherLoader) && - this.clazz.equals(otherRes.clazz)); + thisLoader.equals(otherLoader) && + this.clazz.equals(otherRes.clazz)); } return false; } diff --git a/src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java b/src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java index bf57529635..341bf3de4e 100644 --- a/src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java +++ b/src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java @@ -4,13 +4,19 @@ import org.eclipse.jetty.util.thread.QueuedThreadPool; import org.junit.After; import org.junit.Test; + import spark.embeddedserver.EmbeddedServer; import spark.route.Routes; import spark.staticfiles.StaticFilesConfiguration; -import static org.mockito.Mockito.*; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoMoreInteractions; +import static org.mockito.Mockito.when; public class EmbeddedJettyFactoryTest { + private EmbeddedServer embeddedServer; @Test @@ -19,14 +25,14 @@ public void create() throws Exception { final StaticFilesConfiguration staticFilesConfiguration = mock(StaticFilesConfiguration.class); final Routes routes = mock(Routes.class); - when(jettyServerFactory.create(100,10,10000)).thenReturn(new Server()); + when(jettyServerFactory.create(100, 10, 10000)).thenReturn(new Server()); final EmbeddedJettyFactory embeddedJettyFactory = new EmbeddedJettyFactory(jettyServerFactory); embeddedServer = embeddedJettyFactory.create(routes, staticFilesConfiguration, false); - embeddedServer.ignite("localhost", 8080, null, 100,10,10000); + embeddedServer.ignite("localhost", 6757, null, 100, 10, 10000); - verify(jettyServerFactory, times(1)).create(100,10,10000); + verify(jettyServerFactory, times(1)).create(100, 10, 10000); verifyNoMoreInteractions(jettyServerFactory); } @@ -42,7 +48,7 @@ public void create_withThreadPool() throws Exception { final EmbeddedJettyFactory embeddedJettyFactory = new EmbeddedJettyFactory(jettyServerFactory).withThreadPool(threadPool); embeddedServer = embeddedJettyFactory.create(routes, staticFilesConfiguration, false); - embeddedServer.ignite("localhost", 8080, null, 0,0,0); + embeddedServer.ignite("localhost", 6758, null, 0, 0, 0); verify(jettyServerFactory, times(1)).create(threadPool); verifyNoMoreInteractions(jettyServerFactory); @@ -54,19 +60,21 @@ public void create_withNullThreadPool() throws Exception { final StaticFilesConfiguration staticFilesConfiguration = mock(StaticFilesConfiguration.class); final Routes routes = mock(Routes.class); - when(jettyServerFactory.create(100,10,10000)).thenReturn(new Server()); + when(jettyServerFactory.create(100, 10, 10000)).thenReturn(new Server()); final EmbeddedJettyFactory embeddedJettyFactory = new EmbeddedJettyFactory(jettyServerFactory).withThreadPool(null); embeddedServer = embeddedJettyFactory.create(routes, staticFilesConfiguration, false); - embeddedServer.ignite("localhost", 8080, null, 100,10,10000); + embeddedServer.ignite("localhost", 6759, null, 100, 10, 10000); - verify(jettyServerFactory, times(1)).create(100,10,10000); + verify(jettyServerFactory, times(1)).create(100, 10, 10000); verifyNoMoreInteractions(jettyServerFactory); } @After public void tearDown() throws Exception { - if(embeddedServer != null) embeddedServer.extinguish(); + if (embeddedServer != null) { + embeddedServer.extinguish(); + } } } diff --git a/src/test/java/spark/examples/staticresources/StaticResources.java b/src/test/java/spark/examples/staticresources/StaticResources.java index cacd93e0d8..09168141e5 100644 --- a/src/test/java/spark/examples/staticresources/StaticResources.java +++ b/src/test/java/spark/examples/staticresources/StaticResources.java @@ -17,7 +17,7 @@ package spark.examples.staticresources; import static spark.Spark.get; -import static spark.Spark.staticFileLocation; +import static spark.Spark.staticFiles; /** * Example showing how serve static resources. @@ -27,7 +27,7 @@ public class StaticResources { public static void main(String[] args) { // Will serve all static file are under "/public" in classpath if the route isn't consumed by others routes. - staticFileLocation("/public"); + staticFiles.location("/public"); get("/hello", (request, response) -> { return "Hello World!";