Skip to content

Commit

Permalink
resources - provided extension point on ResourcesRoute constructor al…
Browse files Browse the repository at this point in the history
…lowing to override behaviour forbidding usage of / baseResourcePath, in case someone would like to

serve resources from root classpath, even if this is not advised from a security standpoint
  • Loading branch information
fcamblor committed Aug 28, 2017
1 parent 9effdfd commit 16a4951
Showing 1 changed file with 14 additions and 5 deletions.
19 changes: 14 additions & 5 deletions restx-core/src/main/java/restx/ResourcesRoute.java
Original file line number Diff line number Diff line change
Expand Up @@ -91,15 +91,24 @@ public ResourcesRoute(String name, String baseRestPath, String baseResourcePath,
public ResourcesRoute(String name, String baseRestPath, String baseResourcePath, ImmutableMap<String, String> aliases, List<CachedResourcePolicy> cachedResourcePolicies) {
this.name = checkNotNull(name);
this.baseRestPath = ("/" + checkNotNull(baseRestPath) + "/").replaceAll("/+", "/");
this.baseResourcePath = checkNotNull(baseResourcePath)
.replace('.', '/').replaceAll("^/", "").replaceAll("/$", "") + "/";
if("/".equals(this.baseResourcePath)){
throw new IllegalArgumentException("Please, avoid using '/' as ResourcesRoute's baseResourcePath as it represents serious security flaws (people will be able to read your classpath configuration files)");
}
this.baseResourcePath = this.ensureBaseResourcePathValid(baseResourcePath);
this.aliases = checkNotNull(aliases);
this.cachedResourcePolicies = ImmutableList.copyOf(cachedResourcePolicies);
}

protected String ensureBaseResourcePathValid(String baseResourcePath) {
String escapedBaseResourcePath = checkNotNull(baseResourcePath)
.replace('.', '/')
.replaceAll("^/", "")
.replaceAll("/$", "") + "/";

if("/".equals(escapedBaseResourcePath)){
throw new IllegalArgumentException("Please, avoid using '/' as ResourcesRoute's baseResourcePath as it represents serious security flaws (people will be able to read your classpath configuration files)");
}

return escapedBaseResourcePath;
}

@Override
public Optional<RestxHandlerMatch> match(RestxRequest req) {
if (req.getHttpMethod().equals("GET") && req.getRestxPath().startsWith(baseRestPath)) {
Expand Down

0 comments on commit 16a4951

Please sign in to comment.