Spring/spring-boot
Spring/spring-boot
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-boot.git synced 2024-07-05 00:56:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3.2.x'

Browse Source 
Closes gh-40996
This commit is contained in:
Andy Wilkinson 2024-06-05 14:27:16 +01:00
commit 45f09df7fe
3 changed files with 300 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyServletWebServerFactory.java
View File

@ -17,27 +17,18 @@
package org.springframework.boot.web.embedded.jetty;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetSocketAddress;
import java.net.URI;
import java.net.URL;
import java.nio.channels.ReadableByteChannel;
import java.nio.file.Path;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.EventListener;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.Spliterator;
import java.util.UUID;
import java.util.function.Consumer;
import jakarta.servlet.http.Cookie;
import org.eclipse.jetty.ee10.servlet.ErrorHandler;
@ -79,7 +70,6 @@ import org.eclipse.jetty.session.DefaultSessionCache;
import org.eclipse.jetty.session.FileSessionDataStore;
import org.eclipse.jetty.session.SessionConfig;
import org.eclipse.jetty.util.Callback;
import org.eclipse.jetty.util.resource.CombinedResource;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.resource.ResourceFactory;
import org.eclipse.jetty.util.resource.URLResourceFactory;
@ -594,154 +584,6 @@ public class JettyServletWebServerFactory extends AbstractServletWebServerFactor
}
}
private static final class LoaderHidingResource extends Resource {
private static final String LOADER_RESOURCE_PATH_PREFIX = "/org/springframework/boot/";
private final Resource base;
private final Resource delegate;
private LoaderHidingResource(Resource base, Resource delegate) {
this.base = base;
this.delegate = delegate;
}
@Override
public void forEach(Consumer<? super Resource> action) {
this.delegate.forEach(action);
}
@Override
public Path getPath() {
return this.delegate.getPath();
}
@Override
public boolean isContainedIn(Resource r) {
return this.delegate.isContainedIn(r);
}
@Override
public Iterator<Resource> iterator() {
if (this.delegate instanceof CombinedResource) {
return list().iterator();
}
return List.<Resource>of(this).iterator();
}
@Override
public boolean equals(Object obj) {
return this.delegate.equals(obj);
}
@Override
public int hashCode() {
return this.delegate.hashCode();
}
@Override
public boolean exists() {
return this.delegate.exists();
}
@Override
public Spliterator<Resource> spliterator() {
return this.delegate.spliterator();
}
@Override
public boolean isDirectory() {
return this.delegate.isDirectory();
}
@Override
public boolean isReadable() {
return this.delegate.isReadable();
}
@Override
public Instant lastModified() {
return this.delegate.lastModified();
}
@Override
public long length() {
return this.delegate.length();
}
@Override
public URI getURI() {
return this.delegate.getURI();
}
@Override
public String getName() {
return this.delegate.getName();
}
@Override
public String getFileName() {
return this.delegate.getFileName();
}
@Override
public InputStream newInputStream() throws IOException {
return this.delegate.newInputStream();
}
@Override
@SuppressWarnings({ "deprecation", "removal" })
public ReadableByteChannel newReadableByteChannel() throws IOException {
return this.delegate.newReadableByteChannel();
}
@Override
public List<Resource> list() {
return this.delegate.list().stream().filter(this::nonLoaderResource).toList();
}
private boolean nonLoaderResource(Resource resource) {
Path prefix = this.base.getPath().resolve(Path.of("org", "springframework", "boot"));
return !resource.getPath().startsWith(prefix);
}
@Override
public Resource resolve(String subUriPath) {
if (subUriPath.startsWith(LOADER_RESOURCE_PATH_PREFIX)) {
return null;
}
Resource resolved = this.delegate.resolve(subUriPath);
return (resolved != null) ? new LoaderHidingResource(this.base, resolved) : null;
}
@Override
public boolean isAlias() {
return this.delegate.isAlias();
}
@Override
public URI getRealURI() {
return this.delegate.getRealURI();
}
@Override
public void copyTo(Path destination) throws IOException {
this.delegate.copyTo(destination);
}
@Override
public Collection<Resource> getAllResources() {
return this.delegate.getAllResources().stream().filter(this::nonLoaderResource).toList();
}
@Override
public String toString() {
return this.delegate.toString();
}
}
/**
* {@link AbstractConfiguration} to apply {@code @WebListener} classes.
*/

196
spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResource.java Normal file
View File

@ -0,0 +1,196 @@
/*
* Copyright 2012-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.boot.web.embedded.jetty;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.nio.channels.ReadableByteChannel;
import java.nio.file.Path;
import java.time.Instant;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Spliterator;
import java.util.function.Consumer;
import org.eclipse.jetty.util.resource.CombinedResource;
import org.eclipse.jetty.util.resource.Resource;
/**
* A custom {@link Resource} that hides Spring Boot's loader classes, preventing them from
* being served over HTTP.
*
* @author Andy Wilkinson
*/
final class LoaderHidingResource extends Resource {
private static final String LOADER_RESOURCE_PATH_PREFIX = "/org/springframework/boot/";
private final Path loaderBasePath;
private final Resource base;
private final Resource delegate;
LoaderHidingResource(Resource base, Resource delegate) {
this.base = base;
this.delegate = delegate;
this.loaderBasePath = base.getPath().getFileSystem().getPath("/", "org", "springframework", "boot");
}
@Override
public void forEach(Consumer<? super Resource> action) {
this.delegate.forEach(action);
}
@Override
public Path getPath() {
return this.delegate.getPath();
}
@Override
public boolean isContainedIn(Resource r) {
return this.delegate.isContainedIn(r);
}
@Override
public Iterator<Resource> iterator() {
if (this.delegate instanceof CombinedResource) {
return list().iterator();
}
return List.<Resource>of(this).iterator();
}
@Override
public boolean equals(Object obj) {
return this.delegate.equals(obj);
}
@Override
public int hashCode() {
return this.delegate.hashCode();
}
@Override
public boolean exists() {
return this.delegate.exists();
}
@Override
public Spliterator<Resource> spliterator() {
return this.delegate.spliterator();
}
@Override
public boolean isDirectory() {
return this.delegate.isDirectory();
}
@Override
public boolean isReadable() {
return this.delegate.isReadable();
}
@Override
public Instant lastModified() {
return this.delegate.lastModified();
}
@Override
public long length() {
return this.delegate.length();
}
@Override
public URI getURI() {
return this.delegate.getURI();
}
@Override
public String getName() {
return this.delegate.getName();
}
@Override
public String getFileName() {
return this.delegate.getFileName();
}
@Override
public InputStream newInputStream() throws IOException {
return this.delegate.newInputStream();
}
@Override
@SuppressWarnings({ "deprecation", "removal" })
public ReadableByteChannel newReadableByteChannel() throws IOException {
return this.delegate.newReadableByteChannel();
}
@Override
public List<Resource> list() {
return asLoaderHidingResources(this.delegate.list());
}
private boolean nonLoaderResource(Resource resource) {
return !resource.getPath().startsWith(this.loaderBasePath);
}
private List<Resource> asLoaderHidingResources(Collection<Resource> resources) {
return resources.stream().filter(this::nonLoaderResource).map(this::asLoaderHidingResource).toList();
}
private Resource asLoaderHidingResource(Resource resource) {
return (resource instanceof LoaderHidingResource) ? resource : new LoaderHidingResource(this.base, resource);
}
@Override
public Resource resolve(String subUriPath) {
if (subUriPath.startsWith(LOADER_RESOURCE_PATH_PREFIX)) {
return null;
}
Resource resolved = this.delegate.resolve(subUriPath);
return (resolved != null) ? new LoaderHidingResource(this.base, resolved) : null;
}
@Override
public boolean isAlias() {
return this.delegate.isAlias();
}
@Override
public URI getRealURI() {
return this.delegate.getRealURI();
}
@Override
public void copyTo(Path destination) throws IOException {
this.delegate.copyTo(destination);
}
@Override
public Collection<Resource> getAllResources() {
return asLoaderHidingResources(this.delegate.getAllResources());
}
@Override
public String toString() {
return this.delegate.toString();
}
}

104
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResourceTests.java Normal file
View File

@ -0,0 +1,104 @@
/*
* Copyright 2012-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.boot.web.embedded.jetty;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URI;
import java.nio.file.FileSystems;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.jar.JarOutputStream;
import java.util.zip.ZipEntry;
import org.eclipse.jetty.util.resource.PathResourceFactory;
import org.eclipse.jetty.util.resource.Resource;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
import static org.assertj.core.api.Assertions.assertThat;
/**
* Tests for {@link LoaderHidingResource}.
*
* @author Andy Wilkinson
*/
class LoaderHidingResourceTests {
@Test
void listHidesLoaderResources(@TempDir File temp) throws IOException {
URI warUri = createExampleWar(temp);
Resource resource = new PathResourceFactory().newResource(warUri);
LoaderHidingResource loaderHidingResource = new LoaderHidingResource(resource, resource);
assertThat(deepList(loaderHidingResource)).hasOnlyElementsOfType(LoaderHidingResource.class)
.extracting(Resource::getName)
.contains("/assets/image.jpg")
.doesNotContain("/org/springframework/boot/Loader.class");
}
@Test
void getAllResourcesHidesLoaderResources(@TempDir File temp) throws IOException {
URI warUri = createExampleWar(temp);
Resource resource = new PathResourceFactory().newResource(warUri);
LoaderHidingResource loaderHidingResource = new LoaderHidingResource(resource, resource);
Collection<Resource> allResources = loaderHidingResource.getAllResources();
assertThat(allResources).hasOnlyElementsOfType(LoaderHidingResource.class)
.extracting(Resource::getName)
.contains("/assets/image.jpg")
.doesNotContain("/org/springframework/boot/Loader.class");
}
@Test
void resolveHidesLoaderResources(@TempDir File temp) throws IOException {
URI warUri = createExampleWar(temp);
Resource resource = new PathResourceFactory().newResource(warUri);
LoaderHidingResource loaderHidingResource = new LoaderHidingResource(resource, resource);
assertThat(loaderHidingResource.resolve("/assets/image.jpg").exists()).isTrue();
assertThat(loaderHidingResource.resolve("/assets/image.jpg")).isInstanceOf(LoaderHidingResource.class);
assertThat(loaderHidingResource.resolve("/assets/non-existent.jpg").exists()).isFalse();
assertThat(loaderHidingResource.resolve("/assets/non-existent.jpg")).isInstanceOf(LoaderHidingResource.class);
assertThat(loaderHidingResource.resolve("/org/springframework/boot/Loader.class")).isNull();
}
private URI createExampleWar(File temp) throws IOException {
File exampleWarFile = new File(temp, "example.war");
try (JarOutputStream out = new JarOutputStream(new FileOutputStream(exampleWarFile))) {
out.putNextEntry(new ZipEntry("org/"));
out.putNextEntry(new ZipEntry("org/springframework/"));
out.putNextEntry(new ZipEntry("org/springframework/boot/"));
out.putNextEntry(new ZipEntry("org/springframework/boot/Loader.class"));
out.putNextEntry(new ZipEntry("assets/"));
out.putNextEntry(new ZipEntry("assets/image.jpg"));
}
URI warUri = URI.create("jar:" + exampleWarFile.toURI() + "!/");
FileSystems.newFileSystem(warUri, Collections.emptyMap());
return warUri;
}
private List<Resource> deepList(Resource resource) {
List<Resource> all = new ArrayList<>();
for (Resource listed : resource.list()) {
all.add(listed);
all.addAll(deepList(listed));
}
return all;
}
}