From 2ceb7b42170c15bb1f1452709667c552b1b33718 Mon Sep 17 00:00:00 2001
From: Andy Wilkinson <andy.wilkinson@broadcom.com>
Date: Wed, 5 Jun 2024 12:08:14 +0100
Subject: [PATCH 1/2] Extract LoaderHidingResource as a top-level type

See gh-39472
---
 .../jetty/JettyServletWebServerFactory.java   | 158 ---------------
 .../embedded/jetty/LoaderHidingResource.java  | 186 ++++++++++++++++++
 2 files changed, 186 insertions(+), 158 deletions(-)
 create mode 100644 spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResource.java

diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyServletWebServerFactory.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyServletWebServerFactory.java
index 63f0299463b..194fa32ba26 100644
--- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyServletWebServerFactory.java
+++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyServletWebServerFactory.java
@@ -17,27 +17,18 @@
 package org.springframework.boot.web.embedded.jetty;
 
 import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
 import java.net.InetSocketAddress;
-import java.net.URI;
 import java.net.URL;
-import java.nio.channels.ReadableByteChannel;
-import java.nio.file.Path;
 import java.time.Duration;
-import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.EventListener;
-import java.util.Iterator;
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
-import java.util.Spliterator;
 import java.util.UUID;
-import java.util.function.Consumer;
 
 import jakarta.servlet.http.Cookie;
 import org.eclipse.jetty.ee10.servlet.ErrorHandler;
@@ -79,7 +70,6 @@ import org.eclipse.jetty.session.DefaultSessionCache;
 import org.eclipse.jetty.session.FileSessionDataStore;
 import org.eclipse.jetty.session.SessionConfig;
 import org.eclipse.jetty.util.Callback;
-import org.eclipse.jetty.util.resource.CombinedResource;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.resource.ResourceFactory;
 import org.eclipse.jetty.util.resource.URLResourceFactory;
@@ -593,154 +583,6 @@ public class JettyServletWebServerFactory extends AbstractServletWebServerFactor
 		}
 	}
 
-	private static final class LoaderHidingResource extends Resource {
-
-		private static final String LOADER_RESOURCE_PATH_PREFIX = "/org/springframework/boot/";
-
-		private final Resource base;
-
-		private final Resource delegate;
-
-		private LoaderHidingResource(Resource base, Resource delegate) {
-			this.base = base;
-			this.delegate = delegate;
-		}
-
-		@Override
-		public void forEach(Consumer<? super Resource> action) {
-			this.delegate.forEach(action);
-		}
-
-		@Override
-		public Path getPath() {
-			return this.delegate.getPath();
-		}
-
-		@Override
-		public boolean isContainedIn(Resource r) {
-			return this.delegate.isContainedIn(r);
-		}
-
-		@Override
-		public Iterator<Resource> iterator() {
-			if (this.delegate instanceof CombinedResource) {
-				return list().iterator();
-			}
-			return List.<Resource>of(this).iterator();
-		}
-
-		@Override
-		public boolean equals(Object obj) {
-			return this.delegate.equals(obj);
-		}
-
-		@Override
-		public int hashCode() {
-			return this.delegate.hashCode();
-		}
-
-		@Override
-		public boolean exists() {
-			return this.delegate.exists();
-		}
-
-		@Override
-		public Spliterator<Resource> spliterator() {
-			return this.delegate.spliterator();
-		}
-
-		@Override
-		public boolean isDirectory() {
-			return this.delegate.isDirectory();
-		}
-
-		@Override
-		public boolean isReadable() {
-			return this.delegate.isReadable();
-		}
-
-		@Override
-		public Instant lastModified() {
-			return this.delegate.lastModified();
-		}
-
-		@Override
-		public long length() {
-			return this.delegate.length();
-		}
-
-		@Override
-		public URI getURI() {
-			return this.delegate.getURI();
-		}
-
-		@Override
-		public String getName() {
-			return this.delegate.getName();
-		}
-
-		@Override
-		public String getFileName() {
-			return this.delegate.getFileName();
-		}
-
-		@Override
-		public InputStream newInputStream() throws IOException {
-			return this.delegate.newInputStream();
-		}
-
-		@Override
-		@SuppressWarnings({ "deprecation", "removal" })
-		public ReadableByteChannel newReadableByteChannel() throws IOException {
-			return this.delegate.newReadableByteChannel();
-		}
-
-		@Override
-		public List<Resource> list() {
-			return this.delegate.list().stream().filter(this::nonLoaderResource).toList();
-		}
-
-		private boolean nonLoaderResource(Resource resource) {
-			Path prefix = this.base.getPath().resolve(Path.of("org", "springframework", "boot"));
-			return !resource.getPath().startsWith(prefix);
-		}
-
-		@Override
-		public Resource resolve(String subUriPath) {
-			if (subUriPath.startsWith(LOADER_RESOURCE_PATH_PREFIX)) {
-				return null;
-			}
-			Resource resolved = this.delegate.resolve(subUriPath);
-			return (resolved != null) ? new LoaderHidingResource(this.base, resolved) : null;
-		}
-
-		@Override
-		public boolean isAlias() {
-			return this.delegate.isAlias();
-		}
-
-		@Override
-		public URI getRealURI() {
-			return this.delegate.getRealURI();
-		}
-
-		@Override
-		public void copyTo(Path destination) throws IOException {
-			this.delegate.copyTo(destination);
-		}
-
-		@Override
-		public Collection<Resource> getAllResources() {
-			return this.delegate.getAllResources().stream().filter(this::nonLoaderResource).toList();
-		}
-
-		@Override
-		public String toString() {
-			return this.delegate.toString();
-		}
-
-	}
-
 	/**
 	 * {@link AbstractConfiguration} to apply {@code @WebListener} classes.
 	 */
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResource.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResource.java
new file mode 100644
index 00000000000..4d76f5df8d7
--- /dev/null
+++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResource.java
@@ -0,0 +1,186 @@
+/*
+ * Copyright 2012-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.web.embedded.jetty;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.nio.channels.ReadableByteChannel;
+import java.nio.file.Path;
+import java.time.Instant;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Spliterator;
+import java.util.function.Consumer;
+
+import org.eclipse.jetty.util.resource.CombinedResource;
+import org.eclipse.jetty.util.resource.Resource;
+
+/**
+ * A custom {@link Resource} that hides Spring Boot's loader classes, preventing them from
+ * being served over HTTP.
+ *
+ * @author Andy Wilkinson
+ */
+final class LoaderHidingResource extends Resource {
+
+	private static final String LOADER_RESOURCE_PATH_PREFIX = "/org/springframework/boot/";
+
+	private final Resource base;
+
+	private final Resource delegate;
+
+	LoaderHidingResource(Resource base, Resource delegate) {
+		this.base = base;
+		this.delegate = delegate;
+	}
+
+	@Override
+	public void forEach(Consumer<? super Resource> action) {
+		this.delegate.forEach(action);
+	}
+
+	@Override
+	public Path getPath() {
+		return this.delegate.getPath();
+	}
+
+	@Override
+	public boolean isContainedIn(Resource r) {
+		return this.delegate.isContainedIn(r);
+	}
+
+	@Override
+	public Iterator<Resource> iterator() {
+		if (this.delegate instanceof CombinedResource) {
+			return list().iterator();
+		}
+		return List.<Resource>of(this).iterator();
+	}
+
+	@Override
+	public boolean equals(Object obj) {
+		return this.delegate.equals(obj);
+	}
+
+	@Override
+	public int hashCode() {
+		return this.delegate.hashCode();
+	}
+
+	@Override
+	public boolean exists() {
+		return this.delegate.exists();
+	}
+
+	@Override
+	public Spliterator<Resource> spliterator() {
+		return this.delegate.spliterator();
+	}
+
+	@Override
+	public boolean isDirectory() {
+		return this.delegate.isDirectory();
+	}
+
+	@Override
+	public boolean isReadable() {
+		return this.delegate.isReadable();
+	}
+
+	@Override
+	public Instant lastModified() {
+		return this.delegate.lastModified();
+	}
+
+	@Override
+	public long length() {
+		return this.delegate.length();
+	}
+
+	@Override
+	public URI getURI() {
+		return this.delegate.getURI();
+	}
+
+	@Override
+	public String getName() {
+		return this.delegate.getName();
+	}
+
+	@Override
+	public String getFileName() {
+		return this.delegate.getFileName();
+	}
+
+	@Override
+	public InputStream newInputStream() throws IOException {
+		return this.delegate.newInputStream();
+	}
+
+	@Override
+	@SuppressWarnings({ "deprecation", "removal" })
+	public ReadableByteChannel newReadableByteChannel() throws IOException {
+		return this.delegate.newReadableByteChannel();
+	}
+
+	@Override
+	public List<Resource> list() {
+		return this.delegate.list().stream().filter(this::nonLoaderResource).toList();
+	}
+
+	private boolean nonLoaderResource(Resource resource) {
+		Path prefix = this.base.getPath().resolve(Path.of("org", "springframework", "boot"));
+		return !resource.getPath().startsWith(prefix);
+	}
+
+	@Override
+	public Resource resolve(String subUriPath) {
+		if (subUriPath.startsWith(LOADER_RESOURCE_PATH_PREFIX)) {
+			return null;
+		}
+		Resource resolved = this.delegate.resolve(subUriPath);
+		return (resolved != null) ? new LoaderHidingResource(this.base, resolved) : null;
+	}
+
+	@Override
+	public boolean isAlias() {
+		return this.delegate.isAlias();
+	}
+
+	@Override
+	public URI getRealURI() {
+		return this.delegate.getRealURI();
+	}
+
+	@Override
+	public void copyTo(Path destination) throws IOException {
+		this.delegate.copyTo(destination);
+	}
+
+	@Override
+	public Collection<Resource> getAllResources() {
+		return this.delegate.getAllResources().stream().filter(this::nonLoaderResource).toList();
+	}
+
+	@Override
+	public String toString() {
+		return this.delegate.toString();
+	}
+
+}

From d4e9f458a38a91d60eed4a7f0d3a2597a105ca8a Mon Sep 17 00:00:00 2001
From: Andy Wilkinson <andy.wilkinson@broadcom.com>
Date: Wed, 5 Jun 2024 12:13:43 +0100
Subject: [PATCH 2/2] Fix path handling and wrapping in LoaderHidingResource

Closes gh-39472
---
 .../embedded/jetty/LoaderHidingResource.java  |  18 ++-
 .../jetty/LoaderHidingResourceTests.java      | 104 ++++++++++++++++++
 2 files changed, 118 insertions(+), 4 deletions(-)
 create mode 100644 spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResourceTests.java

diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResource.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResource.java
index 4d76f5df8d7..ed42fc05ddc 100644
--- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResource.java
+++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResource.java
@@ -41,6 +41,8 @@ final class LoaderHidingResource extends Resource {
 
 	private static final String LOADER_RESOURCE_PATH_PREFIX = "/org/springframework/boot/";
 
+	private final Path loaderBasePath;
+
 	private final Resource base;
 
 	private final Resource delegate;
@@ -48,6 +50,7 @@ final class LoaderHidingResource extends Resource {
 	LoaderHidingResource(Resource base, Resource delegate) {
 		this.base = base;
 		this.delegate = delegate;
+		this.loaderBasePath = base.getPath().getFileSystem().getPath("/", "org", "springframework", "boot");
 	}
 
 	@Override
@@ -141,12 +144,19 @@ final class LoaderHidingResource extends Resource {
 
 	@Override
 	public List<Resource> list() {
-		return this.delegate.list().stream().filter(this::nonLoaderResource).toList();
+		return asLoaderHidingResources(this.delegate.list());
 	}
 
 	private boolean nonLoaderResource(Resource resource) {
-		Path prefix = this.base.getPath().resolve(Path.of("org", "springframework", "boot"));
-		return !resource.getPath().startsWith(prefix);
+		return !resource.getPath().startsWith(this.loaderBasePath);
+	}
+
+	private List<Resource> asLoaderHidingResources(Collection<Resource> resources) {
+		return resources.stream().filter(this::nonLoaderResource).map(this::asLoaderHidingResource).toList();
+	}
+
+	private Resource asLoaderHidingResource(Resource resource) {
+		return (resource instanceof LoaderHidingResource) ? resource : new LoaderHidingResource(this.base, resource);
 	}
 
 	@Override
@@ -175,7 +185,7 @@ final class LoaderHidingResource extends Resource {
 
 	@Override
 	public Collection<Resource> getAllResources() {
-		return this.delegate.getAllResources().stream().filter(this::nonLoaderResource).toList();
+		return asLoaderHidingResources(this.delegate.getAllResources());
 	}
 
 	@Override
diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResourceTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResourceTests.java
new file mode 100644
index 00000000000..b3b96692421
--- /dev/null
+++ b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/jetty/LoaderHidingResourceTests.java
@@ -0,0 +1,104 @@
+/*
+ * Copyright 2012-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.web.embedded.jetty;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.net.URI;
+import java.nio.file.FileSystems;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.jar.JarOutputStream;
+import java.util.zip.ZipEntry;
+
+import org.eclipse.jetty.util.resource.PathResourceFactory;
+import org.eclipse.jetty.util.resource.Resource;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link LoaderHidingResource}.
+ *
+ * @author Andy Wilkinson
+ */
+class LoaderHidingResourceTests {
+
+	@Test
+	void listHidesLoaderResources(@TempDir File temp) throws IOException {
+		URI warUri = createExampleWar(temp);
+		Resource resource = new PathResourceFactory().newResource(warUri);
+		LoaderHidingResource loaderHidingResource = new LoaderHidingResource(resource, resource);
+		assertThat(deepList(loaderHidingResource)).hasOnlyElementsOfType(LoaderHidingResource.class)
+			.extracting(Resource::getName)
+			.contains("/assets/image.jpg")
+			.doesNotContain("/org/springframework/boot/Loader.class");
+	}
+
+	@Test
+	void getAllResourcesHidesLoaderResources(@TempDir File temp) throws IOException {
+		URI warUri = createExampleWar(temp);
+		Resource resource = new PathResourceFactory().newResource(warUri);
+		LoaderHidingResource loaderHidingResource = new LoaderHidingResource(resource, resource);
+		Collection<Resource> allResources = loaderHidingResource.getAllResources();
+		assertThat(allResources).hasOnlyElementsOfType(LoaderHidingResource.class)
+			.extracting(Resource::getName)
+			.contains("/assets/image.jpg")
+			.doesNotContain("/org/springframework/boot/Loader.class");
+	}
+
+	@Test
+	void resolveHidesLoaderResources(@TempDir File temp) throws IOException {
+		URI warUri = createExampleWar(temp);
+		Resource resource = new PathResourceFactory().newResource(warUri);
+		LoaderHidingResource loaderHidingResource = new LoaderHidingResource(resource, resource);
+		assertThat(loaderHidingResource.resolve("/assets/image.jpg").exists()).isTrue();
+		assertThat(loaderHidingResource.resolve("/assets/image.jpg")).isInstanceOf(LoaderHidingResource.class);
+		assertThat(loaderHidingResource.resolve("/assets/non-existent.jpg").exists()).isFalse();
+		assertThat(loaderHidingResource.resolve("/assets/non-existent.jpg")).isInstanceOf(LoaderHidingResource.class);
+		assertThat(loaderHidingResource.resolve("/org/springframework/boot/Loader.class")).isNull();
+	}
+
+	private URI createExampleWar(File temp) throws IOException {
+		File exampleWarFile = new File(temp, "example.war");
+		try (JarOutputStream out = new JarOutputStream(new FileOutputStream(exampleWarFile))) {
+			out.putNextEntry(new ZipEntry("org/"));
+			out.putNextEntry(new ZipEntry("org/springframework/"));
+			out.putNextEntry(new ZipEntry("org/springframework/boot/"));
+			out.putNextEntry(new ZipEntry("org/springframework/boot/Loader.class"));
+			out.putNextEntry(new ZipEntry("assets/"));
+			out.putNextEntry(new ZipEntry("assets/image.jpg"));
+		}
+		URI warUri = URI.create("jar:" + exampleWarFile.toURI() + "!/");
+		FileSystems.newFileSystem(warUri, Collections.emptyMap());
+		return warUri;
+	}
+
+	private List<Resource> deepList(Resource resource) {
+		List<Resource> all = new ArrayList<>();
+		for (Resource listed : resource.list()) {
+			all.add(listed);
+			all.addAll(deepList(listed));
+		}
+		return all;
+	}
+
+}