Permalink
Browse files

resources - provided extension point on ResourcesRoute constructor al…

…lowing to override behaviour forbidding usage of / baseResourcePath, in case someone would like to

serve resources from root classpath, even if this is not advised from a security standpoint
  • Loading branch information...
fcamblor committed Aug 28, 2017
1 parent 9effdfd commit 16a49510b1a89eaa7c5c36c7b21eeeaf16e4f72f
Showing with 14 additions and 5 deletions.
  1. +14 −5 restx-core/src/main/java/restx/ResourcesRoute.java
@@ -91,15 +91,24 @@ public ResourcesRoute(String name, String baseRestPath, String baseResourcePath,
public ResourcesRoute(String name, String baseRestPath, String baseResourcePath, ImmutableMap<String, String> aliases, List<CachedResourcePolicy> cachedResourcePolicies) {
this.name = checkNotNull(name);
this.baseRestPath = ("/" + checkNotNull(baseRestPath) + "/").replaceAll("/+", "/");
this.baseResourcePath = checkNotNull(baseResourcePath)
.replace('.', '/').replaceAll("^/", "").replaceAll("/$", "") + "/";
if("/".equals(this.baseResourcePath)){
throw new IllegalArgumentException("Please, avoid using '/' as ResourcesRoute's baseResourcePath as it represents serious security flaws (people will be able to read your classpath configuration files)");
}
this.baseResourcePath = this.ensureBaseResourcePathValid(baseResourcePath);
this.aliases = checkNotNull(aliases);
this.cachedResourcePolicies = ImmutableList.copyOf(cachedResourcePolicies);
}
protected String ensureBaseResourcePathValid(String baseResourcePath) {
String escapedBaseResourcePath = checkNotNull(baseResourcePath)
.replace('.', '/')
.replaceAll("^/", "")
.replaceAll("/$", "") + "/";
if("/".equals(escapedBaseResourcePath)){
throw new IllegalArgumentException("Please, avoid using '/' as ResourcesRoute's baseResourcePath as it represents serious security flaws (people will be able to read your classpath configuration files)");
}
return escapedBaseResourcePath;
}
@Override
public Optional<RestxHandlerMatch> match(RestxRequest req) {
if (req.getHttpMethod().equals("GET") && req.getRestxPath().startsWith(baseRestPath)) {

0 comments on commit 16a4951

Please sign in to comment.