WW-5645 Canonicalise static content paths and remove redundant URL decode#1777
WW-5645 Canonicalise static content paths and remove redundant URL decode#1777arunmanni-ai wants to merge 19 commits into
Conversation
|
Thanks for this. Dropping the second A few things I'd tighten — happy for you to handle them here, or I can file a WW ticket and pick them up in a follow-up, whichever you prefer:
Overall a good cleanup — mostly about making the guard precise and consistent with what the WebJar resolver already does. |
|
Thanks again — pushed two commits addressing points 1, 3, and the Locale import part of 4 (per-segment matching in Still to follow in one more commit:
Will update this thread once that's up. |
|
Thanks for the quick turnaround — both changes look good:
Two optional nits, non-blocking:
Neither blocks; happy with the direction. |
|
Pushed the two nits — indentation on the validateStaticContentPath closing brace, and removed the unused encoding field/setter from DefaultStaticContentLoader. Working on the canonicalize approach for point 2 now (wiring the resolved path through buildPath()/split() rather than just validating and discarding it, so it'll take a bit more care to getright). Would appreciate holding off on merging until that's up —should have it here soon. |
|
I replaced the denylist with a canonicalise-then-verify approach. containsMalformedPathSegment is now canonicalisePath, which normalises the path (resolves . and .., converts \ to /) and returns Optional.empty() if it escapes above root. Both findStaticResource and the WebJar split() now use the canonical form for downstream lookups. Dropped the %2e denylist and its test, and removed the now-dead setEncoding call from the test setUp. All four points addressed -- ready for review when you get a chance. |
|
Fixed the build failure — removed stale |
|
Hi @lukaszlenart, The CI failures are from two new tests I added for encoded traversal ( I'm planning to add a check at the top of Wanted to check with you first — does that approach align with the design intent, or would you prefer handling it differently? |
|
Hi @arunmanni-ai — thanks for checking first. I'd hold off on the I ran the two failing tests plus the loader-level one to be sure of the behaviour:
So there's no traversal to defend against — the old Why not add
Suggested resolution, in order of preference:
Either is fine by me; I'd just avoid putting a denylist back into the normaliser. |
…to-end 404 already covered
|
Makes sense, thanks for the detailed walkthrough. Went with option 1 — removed both tests since the end-to-end 404 via |
The
buildPath()method inDefaultStaticContentLoaderappliedURLDecoder.decode()to resource paths that the servlet container had already decoded. This redundant decode conflicted with the servlet spec's path-handling contract.This patch:
URLDecoder.decode()call frombuildPath()and drops the now-unusedencodingfield and its setterValidator.canonicalisePath()utility that normalises the path (resolves.and.., converts\to/) and returnsOptional.empty()when the resolved path escapes above rootfindStaticResource()and the WebJarsplit()so downstream lookups use the normalised formRequestUtils.getServletPath()