Merge pull request #17538 from adavid9

wilkinsona · wilkinsona · commit 173ff87b9868 · 2019-07-18T17:06:35.000+01:00
* gh-17538: Polish "Hide loader classes from Tomcat's ServletContext resource paths" Hide loader classes from Tomcat's ServletContext resource paths Closes gh-17538
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java
@@ -31,6 +31,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import javax.servlet.ServletContainerInitializer;
 
@@ -88,6 +89,7 @@
  * @author Andy Wilkinson
  * @author Eddú Meléndez
  * @author Christoffer Sawicki
+ * @author Dawid Antecki
  * @since 2.0.0
  * @see #setPort(int)
  * @see #setContextLifecycleListeners(Collection)
@@ -751,7 +753,9 @@ public String[] list(String path) {
 
 		@Override
 		public Set<String> listWebAppPaths(String path) {
-			return this.delegate.listWebAppPaths(path);
+			return this.delegate.listWebAppPaths(path).stream()
+					.filter((webAppPath) -> !webAppPath.startsWith("/org/springframework/boot"))
+					.collect(Collectors.toSet());
 		}
 
 		@Override
diff --git a/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/com/example/ResourceHandlingApplication.java b/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/com/example/ResourceHandlingApplication.java
@@ -18,6 +18,8 @@
 
 import java.io.IOException;
 import java.net.URL;
+import java.util.LinkedHashSet;
+import java.util.Set;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -38,31 +40,62 @@
 @SpringBootApplication
 public class ResourceHandlingApplication {
 
+	@Bean
+	public ServletRegistrationBean<?> resourceServletRegistration() {
+		ServletRegistrationBean<?> registration = new ServletRegistrationBean<HttpServlet>(new GetResourceServlet());
+		registration.addUrlMappings("/servletContext");
+		return registration;
+	}
+
+	@Bean
+	public ServletRegistrationBean<?> resourcePathsServletRegistration() {
+		ServletRegistrationBean<?> registration = new ServletRegistrationBean<HttpServlet>(
+				new GetResourcePathsServlet());
+		registration.addUrlMappings("/resourcePaths");
+		return registration;
+	}
+
 	public static void main(String[] args) {
 		new SpringApplicationBuilder(ResourceHandlingApplication.class).properties("server.port:0")
 				.listeners(new WebServerPortFileWriter("target/server.port")).run(args);
 	}
 
-	@Bean
-	public ServletRegistrationBean<?> resourceServletRegistration() {
-		ServletRegistrationBean<?> registration = new ServletRegistrationBean<HttpServlet>(new HttpServlet() {
-
-			@Override
-			protected void doGet(HttpServletRequest req, HttpServletResponse resp)
-					throws ServletException, IOException {
-				URL resource = getServletContext().getResource(req.getQueryString());
-				if (resource == null) {
-					resp.sendError(404);
-				}
-				else {
-					resp.getWriter().println(resource);
-					resp.getWriter().flush();
+	private static final class GetResourcePathsServlet extends HttpServlet {
+
+		@Override
+		protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+			collectResourcePaths("/").forEach(resp.getWriter()::println);
+			resp.getWriter().flush();
+		}
+
+		private Set<String> collectResourcePaths(String path) {
+			Set<String> allResourcePaths = new LinkedHashSet<>();
+			Set<String> pathsForPath = getServletContext().getResourcePaths(path);
+			if (pathsForPath != null) {
+				for (String resourcePath : pathsForPath) {
+					allResourcePaths.add(resourcePath);
+					allResourcePaths.addAll(collectResourcePaths(resourcePath));
 				}
 			}
+			return allResourcePaths;
+		}
+
+	}
+
+	private static final class GetResourceServlet extends HttpServlet {
+
+		@Override
+		protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+			URL resource = getServletContext().getResource(req.getQueryString());
+			if (resource == null) {
+				resp.sendError(404);
+			}
+			else {
+				resp.getWriter().println(resource);
+				resp.getWriter().flush();
+			}
+		}
 
-		});
-		registration.addUrlMappings("/servletContext");
-		return registration;
 	}
 
 }
diff --git a/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/org/springframework/boot/context/embedded/EmbeddedServletContainerWarDevelopmentIntegrationTests.java b/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/org/springframework/boot/context/embedded/EmbeddedServletContainerWarDevelopmentIntegrationTests.java
@@ -16,7 +16,13 @@
 
 package org.springframework.boot.context.embedded;
 
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -67,4 +73,29 @@ public void webappResourcesAreAvailableViaHttp() {
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 	}
 
+	@Test
+	public void loaderClassesAreNotAvailableViaResourcePaths() {
+		ResponseEntity<String> entity = this.rest.getForEntity("/resourcePaths", String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(readLines(entity.getBody()))
+				.noneMatch((resourcePath) -> resourcePath.startsWith("/org/springframework/boot/loader"));
+	}
+
+	private List<String> readLines(String input) {
+		if (input == null) {
+			return Collections.emptyList();
+		}
+		List<String> lines = new ArrayList<>();
+		try (BufferedReader reader = new BufferedReader(new StringReader(input))) {
+			String line;
+			while ((line = reader.readLine()) != null) {
+				lines.add(line);
+			}
+			return lines;
+		}
+		catch (IOException ex) {
+			throw new RuntimeException("Failed to read lines from input '" + input + "'");
+		}
+	}
+
 }
diff --git a/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/org/springframework/boot/context/embedded/EmbeddedServletContainerWarPackagingIntegrationTests.java b/spring-boot-tests/spring-boot-integration-tests/spring-boot-server-tests/src/test/java/org/springframework/boot/context/embedded/EmbeddedServletContainerWarPackagingIntegrationTests.java
@@ -16,7 +16,13 @@
 
 package org.springframework.boot.context.embedded;
 
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -90,4 +96,29 @@ public void loaderClassesAreNotAvailableViaHttp() {
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
 	}
 
+	@Test
+	public void loaderClassesAreNotAvailableViaResourcePaths() {
+		ResponseEntity<String> entity = this.rest.getForEntity("/resourcePaths", String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(readLines(entity.getBody()))
+				.noneMatch((resourcePath) -> resourcePath.startsWith("/org/springframework/boot/loader"));
+	}
+
+	private List<String> readLines(String input) {
+		if (input == null) {
+			return Collections.emptyList();
+		}
+		List<String> lines = new ArrayList<>();
+		try (BufferedReader reader = new BufferedReader(new StringReader(input))) {
+			String line;
+			while ((line = reader.readLine()) != null) {
+				lines.add(line);
+			}
+			return lines;
+		}
+		catch (IOException ex) {
+			throw new RuntimeException("Failed to read lines from input '" + input + "'");
+		}
+	}
+
 }
