fix: Do not serve reserved folders (#22998) (#23034)

vaadin-bot · caalador · web-flow · commit d802af64a8b5 · 2025-12-18T11:03:02.000Z
Do not run indexhtmlrequesthandler
for requests to vaadin reserved
folders.

Co-authored-by: caalador &lt;mikael.grankvist@vaadin.com&gt;
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/BootstrapHandler.java b/flow-server/src/main/java/com/vaadin/flow/server/BootstrapHandler.java
@@ -517,7 +517,7 @@ protected boolean canHandleRequest(VaadinRequest request) {
         }
 
         if (isVaadinStaticFileRequest(request)) {
-            // Do not allow routes inside /VAADIN/
+            // Do not allow routes inside /VAADIN/ or reserved static folders
             return false;
         }
 
@@ -558,7 +558,8 @@ public static boolean isFrameworkInternalRequest(VaadinRequest request) {
     }
 
     /**
-     * Checks whether the request is a request for /VAADIN/*.
+     * Checks whether the request is a request for /VAADIN/* or other reserved
+     * static folder. (/themes, /assets, /aura, /lumo)
      * <p>
      * Warning: This assumes that the VaadinRequest is targeted for a
      * VaadinServlet and does no further checks to validate this.
@@ -573,8 +574,9 @@ public static boolean isFrameworkInternalRequest(VaadinRequest request) {
      *         otherwise
      */
     public static boolean isVaadinStaticFileRequest(VaadinRequest request) {
-        return request.getPathInfo() != null
-                && request.getPathInfo().startsWith("/" + VAADIN_MAPPING);
+        return request.getPathInfo() != null && HandlerHelper
+                .getPublicInternalFolderPaths().stream()
+                .anyMatch(path -> request.getPathInfo().startsWith(path));
     }
 
     /**
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/HandlerHelper.java b/flow-server/src/main/java/com/vaadin/flow/server/HandlerHelper.java
@@ -30,6 +30,7 @@
 import java.util.function.BiConsumer;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import jakarta.servlet.http.HttpServletRequest;
 
@@ -147,6 +148,8 @@ public String getIdentifier() {
 
     private static final String[] publicResourcesRoot;
     private static final String[] publicResources;
+    private static final List<String> publicInternalFolderPaths;
+
     static {
         List<String> resources = new ArrayList<>();
         resources.add("/" + PwaConfiguration.DEFAULT_PATH);
@@ -164,6 +167,18 @@ public String getIdentifier() {
         rootResources.add("/favicon.ico");
         publicResourcesRoot = rootResources
                 .toArray(new String[rootResources.size()]);
+
+        List<String> resourcesPath = new ArrayList<>();
+        Stream.concat(resources.stream(), rootResources.stream())
+                .filter(resource -> resource.endsWith("/**"))
+                .map(resource -> resource.replace("/**", ""))
+                .forEach(resourcesPath::add);
+        for (String resource : getPublicResourcesRequiringSecurityContext()) {
+            if (resource.endsWith("/**")) {
+                resourcesPath.add(resource.replace("/**", ""));
+            }
+        }
+        publicInternalFolderPaths = resourcesPath;
     }
 
     private HandlerHelper() {
@@ -518,6 +533,10 @@ public static String[] getPublicResourcesRoot() {
         return publicResourcesRoot;
     }
 
+    public static List<String> getPublicInternalFolderPaths() {
+        return publicInternalFolderPaths;
+    }
+
     /**
      * Gets the paths of the PWA icon variants for the given base icon.
      *
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/StaticFileServer.java b/flow-server/src/main/java/com/vaadin/flow/server/StaticFileServer.java
@@ -252,6 +252,9 @@ public boolean serveStaticResource(HttpServletRequest request,
             // servletContext.getResource will return a URL for them, at
             // least with Jetty
             return false;
+        } else if (HandlerHelper.getPublicInternalFolderPaths().stream()
+                .anyMatch(path -> filenameWithPath.equals(path))) {
+            return false;
         }
 
         if (HandlerHelper.isPathUnsafe(filenameWithPath)) {
diff --git a/flow-server/src/test/java/com/vaadin/flow/server/StaticFileServerTest.java b/flow-server/src/test/java/com/vaadin/flow/server/StaticFileServerTest.java
@@ -28,6 +28,7 @@
 import java.io.Serializable;
 import java.lang.reflect.Field;
 import java.net.MalformedURLException;
+import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLConnection;
@@ -1257,6 +1258,30 @@ public void serveStaticResource_themeResourceRequest_productionMode_notServeFrom
         Assert.assertFalse(fileServer.serveStaticResource(request, response));
     }
 
+    @Test
+    public void frameworkStaticFolder_withoutEndingSlash_doesNotServeStaticResource()
+            throws IOException {
+        // Test framework static folders without / at the end,
+        // that they do not return a result
+        for (String publicInternalFolderPath : HandlerHelper
+                .getPublicInternalFolderPaths()) {
+            Assert.assertTrue(publicInternalFolderPath.startsWith("/"));
+            Assert.assertFalse(publicInternalFolderPath.endsWith("/**"));
+
+            setupRequestURI("", "", publicInternalFolderPath);
+            Mockito.when(
+                    servletService.getStaticResource(publicInternalFolderPath))
+                    .thenReturn(URI
+                            .create("file:///" + publicInternalFolderPath + "/")
+                            .toURL());
+
+            Assert.assertFalse(
+                    publicInternalFolderPath
+                            + " should not be a static resource.",
+                    fileServer.serveStaticResource(request, response));
+        }
+    }
+
     private static class CapturingServletOutputStream
             extends ServletOutputStream {
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
diff --git a/flow-server/src/test/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandlerTest.java b/flow-server/src/test/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandlerTest.java
@@ -58,6 +58,7 @@
 import com.vaadin.flow.server.AppShellRegistry;
 import com.vaadin.flow.server.BootstrapHandler;
 import com.vaadin.flow.server.Constants;
+import com.vaadin.flow.server.HandlerHelper;
 import com.vaadin.flow.server.MockServletServiceSessionSetup;
 import com.vaadin.flow.server.VaadinContext;
 import com.vaadin.flow.server.VaadinRequest;
@@ -313,6 +314,18 @@ public void canHandleRequest_doNotHandle_vaadinStaticResources() {
                 createRequestWithDestination("/VAADIN/foo.js", null, null)));
     }
 
+    @Test
+    public void canHandleRequest_doNotHandle_vaadinReservedFolders() {
+        for (String reservedFolder : HandlerHelper
+                .getPublicInternalFolderPaths()) {
+            assertFalse(reservedFolder
+                    + " was handled even though it should not init index handler",
+                    indexHtmlRequestHandler.canHandleRequest(
+                            createRequestWithDestination(reservedFolder, null,
+                                    null)));
+        }
+    }
+
     @Test
     public void canHandleRequest_handle_serviceWorkerDocumentRequest() {
         Assert.assertTrue(indexHtmlRequestHandler.canHandleRequest(
diff --git a/flow-tests/test-application-theme/test-theme-reusable-vite/src/test/java/com/vaadin/flow/uitest/ui/theme/ReusableThemeIT.java b/flow-tests/test-application-theme/test-theme-reusable-vite/src/test/java/com/vaadin/flow/uitest/ui/theme/ReusableThemeIT.java
@@ -52,7 +52,7 @@ public void secondTheme_staticFilesNotCopied() {
         getDriver().get(getRootURL() + "/path/themes/no-copy/no-copy.txt");
         String source = driver.getPageSource();
         Matcher m = Pattern.compile(
-                ".*Could not navigate to.*themes/no-copy/no-copy.txt.*",
+                ".*HTTP ERROR 404 Request was not handled by any registered handler.*",
                 Pattern.DOTALL).matcher(source);
         Assert.assertTrue("no-copy theme should not be handled", m.matches());
     }
diff --git a/flow-tests/test-custom-frontend-directory/test-themes-custom-frontend-directory/src/test/java/com/vaadin/flow/uitest/ui/theme/ThemeIT.java b/flow-tests/test-custom-frontend-directory/test-themes-custom-frontend-directory/src/test/java/com/vaadin/flow/uitest/ui/theme/ThemeIT.java
@@ -100,7 +100,7 @@ public void secondTheme_staticFilesNotCopied() {
         waitForDevServer();
         String source = driver.getPageSource();
         Matcher m = Pattern.compile(
-                ".*Could not navigate to.*themes/no-copy/no-copy.txt.*",
+                ".*HTTP ERROR 404 Request was not handled by any registered handler.*",
                 Pattern.DOTALL).matcher(source);
         Assert.assertTrue("no-copy theme should not be handled", m.matches());
     }
diff --git a/flow-tests/test-frontend/vite-pwa/src/test/java/com/vaadin/viteapp/MainIT.java b/flow-tests/test-frontend/vite-pwa/src/test/java/com/vaadin/viteapp/MainIT.java
@@ -24,7 +24,9 @@
 import com.vaadin.flow.testutil.ChromeDeviceTest;
 
 public class MainIT extends ChromeDeviceTest {
-    final String VITE_PING_PATH = "/VAADIN";
+
+    // Ping actual existing file and not no route page, which now returns 404
+    final String VITE_PING_PATH = "/VAADIN/generated/";
 
     @Before
     public void init() {
@@ -48,12 +50,13 @@ public void openHomePage_setOffline_vitePingRequestIsRejected() {
         openPage("/");
 
         Assert.assertTrue("Should allow Vite ping requests when online",
-                sendVitePingRequest());
+                sendVitePingRequest(VITE_PING_PATH + "vaadin.ts"));
 
         getDevTools().setOfflineEnabled(true);
 
+        // Different file to not get cached.
         Assert.assertFalse("Should reject Vite ping requests when offline",
-                sendVitePingRequest());
+                sendVitePingRequest(VITE_PING_PATH + "theme.js"));
     }
 
     @Test
@@ -103,7 +106,7 @@ private Boolean isAppThemeLoaded() {
                 "return getComputedStyle(document.body).getPropertyValue('--theme-my-theme-loaded') === '1'");
     }
 
-    private Boolean sendVitePingRequest() {
+    private Boolean sendVitePingRequest(String VITE_PING_PATH) {
         return (Boolean) ((JavascriptExecutor) getDriver())
                 .executeAsyncScript(
                         "const done = arguments[arguments.length - 1];"
diff --git a/flow-tests/test-themes/src/test/java/com/vaadin/flow/uitest/ui/theme/ThemeIT.java b/flow-tests/test-themes/src/test/java/com/vaadin/flow/uitest/ui/theme/ThemeIT.java
@@ -102,7 +102,7 @@ public void secondTheme_staticFilesNotCopied() {
         getDriver().get(getRootURL() + "/path/themes/no-copy/no-copy.txt");
         String source = driver.getPageSource();
         Matcher m = Pattern.compile(
-                ".*Could not navigate to.*themes/no-copy/no-copy.txt.*",
+                ".*HTTP ERROR 404 Request was not handled by any registered handler.*",
                 Pattern.DOTALL).matcher(source);
         Assert.assertTrue("no-copy theme should not be handled", m.matches());
     }

Original file line number	Diff line number	Diff line change
`@@ -252,6 +252,9 @@ public boolean serveStaticResource(HttpServletRequest request,`
`252`	`252`	`// servletContext.getResource will return a URL for them, at`
`253`	`253`	`// least with Jetty`
`254`	`254`	`return false;`
	`255`	`+ } else if (HandlerHelper.getPublicInternalFolderPaths().stream()`
	`256`	`+ .anyMatch(path -> filenameWithPath.equals(path))) {`
	`257`	`+ return false;`
`255`	`258`	`}`
`256`	`259`
`257`	`260`	`if (HandlerHelper.isPathUnsafe(filenameWithPath)) {`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ public void secondTheme_staticFilesNotCopied() {`
`52`	`52`	`getDriver().get(getRootURL() + "/path/themes/no-copy/no-copy.txt");`
`53`	`53`	`String source = driver.getPageSource();`
`54`	`54`	`Matcher m = Pattern.compile(`
`55`		`- ".Could not navigate to.themes/no-copy/no-copy.txt.*",`
	`55`	`+ ".HTTP ERROR 404 Request was not handled by any registered handler.",`
`56`	`56`	`Pattern.DOTALL).matcher(source);`
`57`	`57`	`Assert.assertTrue("no-copy theme should not be handled", m.matches());`
`58`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ public void secondTheme_staticFilesNotCopied() {`
`100`	`100`	`waitForDevServer();`
`101`	`101`	`String source = driver.getPageSource();`
`102`	`102`	`Matcher m = Pattern.compile(`
`103`		`- ".Could not navigate to.themes/no-copy/no-copy.txt.*",`
	`103`	`+ ".HTTP ERROR 404 Request was not handled by any registered handler.",`
`104`	`104`	`Pattern.DOTALL).matcher(source);`
`105`	`105`	`Assert.assertTrue("no-copy theme should not be handled", m.matches());`
`106`	`106`	`}`
Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ public void secondTheme_staticFilesNotCopied() {`
`102`	`102`	`getDriver().get(getRootURL() + "/path/themes/no-copy/no-copy.txt");`
`103`	`103`	`String source = driver.getPageSource();`
`104`	`104`	`Matcher m = Pattern.compile(`
`105`		`- ".Could not navigate to.themes/no-copy/no-copy.txt.*",`
	`105`	`+ ".HTTP ERROR 404 Request was not handled by any registered handler.",`
`106`	`106`	`Pattern.DOTALL).matcher(source);`
`107`	`107`	`Assert.assertTrue("no-copy theme should not be handled", m.matches());`
`108`	`108`	`}`