DevTools exposes every file in classpath

[yreifschneider]

When I create a Spring Boot web application with DevTools in pom.xml every file on the classpath is exposed as static file to download. The documentation states:

Developer tools are automatically disabled when running a fully packaged application. If your application is launched using java -jar or if it’s started using a special classloader, then it is considered a “production application”.

But even when I run the application with java -jar every file is accessible to download. I have attached a simple demo project to illustrate this.

If you run the demo project for example with mvn spring-boot:run or by compiling it to a jar file and then java -jar, you can access the application.properties file in the browser under http://localhost:8080/application.properties.

Using SpringBoot Version 1.4.3

$ java -version
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

devtools-exposes-files.zip

[philwebb]

It looks like this is a regression in 1.4.3 as downgrading to 1.4.2 fixes the problem.

[philwebb]

The root cause is the new ClassLoaderFilesResourcePatternResolver which was resolving / patterns as classpath resources rather than servlet resources. This was fixed in #7752 but I'll add some tests to make sure it doesn't happen again.

[xak2000]

Oh! Actually, this is a big security issue. I surprised that this is not mentioned explicitly in release notes at https://spring.io/blog/2017/01/26/spring-boot-1-4-4-available-now.

Some people even have production passwords in their properties. :) It is bad practice of course and security issue in itself. But anyway, even when classpath contains no passwords, it's still contains many files not intended to be read by anyone.