fix: Do not serve reserved folders (#22998) (#23033)

Do not run indexhtmlrequesthandler
for requests to vaadin reserved
folders.

Co-authored-by: caalador <mikael.grankvist@vaadin.com>

Author: vaadin-bot

flow-server/src/main/java/com/vaadin/flow/server/BootstrapHandler.java

@@ -516,7 +516,7 @@ protected boolean canHandleRequest(VaadinRequest request) {
         }
 
         if (isVaadinStaticFileRequest(request)) {
-            // Do not allow routes inside /VAADIN/
+            // Do not allow routes inside /VAADIN/ or reserved static folders
             return false;
         }
 
@@ -557,7 +557,8 @@ public static boolean isFrameworkInternalRequest(VaadinRequest request) {
     }
 
     /**
-     * Checks whether the request is a request for /VAADIN/*.
+     * Checks whether the request is a request for /VAADIN/* or other reserved
+     * static folder. (/themes, /assets, /aura, /lumo)
      * <p>
      * Warning: This assumes that the VaadinRequest is targeted for a
      * VaadinServlet and does no further checks to validate this.
@@ -572,8 +573,9 @@ public static boolean isFrameworkInternalRequest(VaadinRequest request) {
      *         otherwise
      */
     public static boolean isVaadinStaticFileRequest(VaadinRequest request) {
-        return request.getPathInfo() != null
-                && request.getPathInfo().startsWith("/" + VAADIN_MAPPING);
+        return request.getPathInfo() != null && HandlerHelper
+                .getPublicInternalFolderPaths().stream()
+                .anyMatch(path -> request.getPathInfo().startsWith(path));
     }
 
     /**

flow-server/src/main/java/com/vaadin/flow/server/HandlerHelper.java

@@ -32,6 +32,7 @@
 import java.util.function.BiConsumer;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import com.vaadin.flow.component.UI;
 import com.vaadin.flow.server.communication.PwaHandler;
@@ -147,6 +148,8 @@ public String getIdentifier() {
 
     private static final String[] publicResourcesRoot;
     private static final String[] publicResources;
+    private static final List<String> publicInternalFolderPaths;
+
     static {
         List<String> resources = new ArrayList<>();
         resources.add("/" + PwaConfiguration.DEFAULT_PATH);
@@ -168,6 +171,18 @@ public String getIdentifier() {
         rootResources.add("/favicon.ico");
         publicResourcesRoot = rootResources
                 .toArray(new String[rootResources.size()]);
+
+        List<String> resourcesPath = new ArrayList<>();
+        Stream.concat(resources.stream(), rootResources.stream())
+                .filter(resource -> resource.endsWith("/**"))
+                .map(resource -> resource.replace("/**", ""))
+                .forEach(resourcesPath::add);
+        for (String resource : getPublicResourcesRequiringSecurityContext()) {
+            if (resource.endsWith("/**")) {
+                resourcesPath.add(resource.replace("/**", ""));
+            }
+        }
+        publicInternalFolderPaths = resourcesPath;
     }
 
     private HandlerHelper() {
@@ -544,6 +559,10 @@ public static String[] getPublicResourcesRoot() {
         return publicResourcesRoot;
     }
 
+    public static List<String> getPublicInternalFolderPaths() {
+        return publicInternalFolderPaths;
+    }
+
     /**
      * Gets the paths of the PWA icon variants for the given base icon.
      *

flow-server/src/main/java/com/vaadin/flow/server/StaticFileServer.java

@@ -256,6 +256,9 @@ public boolean serveStaticResource(HttpServletRequest request,
             // servletContext.getResource will return a URL for them, at
             // least with Jetty
             return false;
+        } else if (HandlerHelper.getPublicInternalFolderPaths().stream()
+                .anyMatch(path -> filenameWithPath.equals(path))) {
+            return false;
         }
 
         if (HandlerHelper.isPathUnsafe(filenameWithPath)) {

flow-server/src/test/java/com/vaadin/flow/server/StaticFileServerTest.java

@@ -28,6 +28,7 @@
 import java.io.Serializable;
 import java.lang.reflect.Field;
 import java.net.MalformedURLException;
+import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLConnection;
@@ -1252,6 +1253,30 @@ public void serveStaticResource_themeResourceRequest_productionMode_notServeFrom
         Assert.assertFalse(fileServer.serveStaticResource(request, response));
     }
 
+    @Test
+    public void frameworkStaticFolder_withoutEndingSlash_doesNotServeStaticResource()
+            throws IOException {
+        // Test framework static folders without / at the end,
+        // that they do not return a result
+        for (String publicInternalFolderPath : HandlerHelper
+                .getPublicInternalFolderPaths()) {
+            Assert.assertTrue(publicInternalFolderPath.startsWith("/"));
+            Assert.assertFalse(publicInternalFolderPath.endsWith("/**"));
+
+            setupRequestURI("", "", publicInternalFolderPath);
+            Mockito.when(
+                    servletService.getStaticResource(publicInternalFolderPath))
+                    .thenReturn(URI
+                            .create("file:///" + publicInternalFolderPath + "/")
+                            .toURL());
+
+            Assert.assertFalse(
+                    publicInternalFolderPath
+                            + " should not be a static resource.",
+                    fileServer.serveStaticResource(request, response));
+        }
+    }
+
     private static class CapturingServletOutputStream
             extends ServletOutputStream {
         ByteArrayOutputStream baos = new ByteArrayOutputStream();

flow-server/src/test/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandlerTest.java

@@ -61,6 +61,7 @@
 import com.vaadin.flow.server.AppShellRegistry;
 import com.vaadin.flow.server.BootstrapHandler;
 import com.vaadin.flow.server.Constants;
+import com.vaadin.flow.server.HandlerHelper;
 import com.vaadin.flow.server.MockServletServiceSessionSetup;
 import com.vaadin.flow.server.VaadinContext;
 import com.vaadin.flow.server.VaadinRequest;
@@ -313,6 +314,18 @@ public void canHandleRequest_doNotHandle_vaadinStaticResources() {
                 createRequestWithDestination("/VAADIN/foo.js", null, null)));
     }
 
+    @Test
+    public void canHandleRequest_doNotHandle_vaadinReservedFolders() {
+        for (String reservedFolder : HandlerHelper
+                .getPublicInternalFolderPaths()) {
+            assertFalse(reservedFolder
+                    + " was handled even though it should not init index handler",
+                    indexHtmlRequestHandler.canHandleRequest(
+                            createRequestWithDestination(reservedFolder, null,
+                                    null)));
+        }
+    }
+
     @Test
     public void canHandleRequest_handle_serviceWorkerDocumentRequest() {
         Assert.assertTrue(indexHtmlRequestHandler.canHandleRequest(

flow-tests/test-application-theme/test-theme-reusable-vite/src/test/java/com/vaadin/flow/uitest/ui/theme/ReusableThemeIT.java

@@ -52,7 +52,7 @@ public void secondTheme_staticFilesNotCopied() {
         getDriver().get(getRootURL() + "/path/themes/no-copy/no-copy.txt");
         String source = driver.getPageSource();
         Matcher m = Pattern.compile(
-                ".*Could not navigate to.*themes/no-copy/no-copy.txt.*",
+                ".*HTTP ERROR 404 Request was not handled by any registered handler.*",
                 Pattern.DOTALL).matcher(source);
         Assert.assertTrue("no-copy theme should not be handled", m.matches());
     }

flow-tests/test-custom-frontend-directory/test-themes-custom-frontend-directory/src/test/java/com/vaadin/flow/uitest/ui/theme/ThemeIT.java

@@ -100,7 +100,7 @@ public void secondTheme_staticFilesNotCopied() {
         waitForDevServer();
         String source = driver.getPageSource();
         Matcher m = Pattern.compile(
-                ".*Could not navigate to.*themes/no-copy/no-copy.txt.*",
+                ".*HTTP ERROR 404 Request was not handled by any registered handler.*",
                 Pattern.DOTALL).matcher(source);
         Assert.assertTrue("no-copy theme should not be handled", m.matches());
     }

flow-tests/test-frontend/vite-pwa/src/test/java/com/vaadin/viteapp/MainIT.java

@@ -24,7 +24,9 @@
 import com.vaadin.flow.testutil.ChromeDeviceTest;
 
 public class MainIT extends ChromeDeviceTest {
-    final String VITE_PING_PATH = "/VAADIN";
+
+    // Ping actual existing file and not no route page, which now returns 404
+    final String VITE_PING_PATH = "/VAADIN/generated/";
 
     @Before
     public void init() {
@@ -48,12 +50,13 @@ public void openHomePage_setOffline_vitePingRequestIsRejected() {
         openPage("/");
 
         Assert.assertTrue("Should allow Vite ping requests when online",
-                sendVitePingRequest());
+                sendVitePingRequest(VITE_PING_PATH + "vaadin.ts"));
 
         getDevTools().setOfflineEnabled(true);
 
+        // Different file to not get cached.
         Assert.assertFalse("Should reject Vite ping requests when offline",
-                sendVitePingRequest());
+                sendVitePingRequest(VITE_PING_PATH + "theme.js"));
     }
 
     @Test
@@ -103,7 +106,7 @@ private Boolean isAppThemeLoaded() {
                 "return getComputedStyle(document.body).getPropertyValue('--theme-my-theme-loaded') === '1'");
     }
 
-    private Boolean sendVitePingRequest() {
+    private Boolean sendVitePingRequest(String VITE_PING_PATH) {
         return (Boolean) ((JavascriptExecutor) getDriver())
                 .executeAsyncScript(
                         "const done = arguments[arguments.length - 1];"

flow-tests/test-themes/src/test/java/com/vaadin/flow/uitest/ui/theme/ThemeIT.java

@@ -102,7 +102,7 @@ public void secondTheme_staticFilesNotCopied() {
         getDriver().get(getRootURL() + "/path/themes/no-copy/no-copy.txt");
         String source = driver.getPageSource();
         Matcher m = Pattern.compile(
-                ".*Could not navigate to.*themes/no-copy/no-copy.txt.*",
+                ".*HTTP ERROR 404 Request was not handled by any registered handler.*",
                 Pattern.DOTALL).matcher(source);
         Assert.assertTrue("no-copy theme should not be handled", m.matches());
     }