getResourcePaths(String) allows navigation through the loader's directory structure when using Tomcat

[wilkinsona]

While we prevent individual ServletContext.getResource(String) requests for the loader and do not allow it to be served static resources, when using Tomcat getResourcePath(String) will return paths that allow navigation of the loader's directory structure. The same is not possible when using Jetty. We should see if we can prevent it with Tomcat as well.

[larsgrefer]

The fix for this should be trivial. Just filter out all paths starting with org/springframework/boot/loader in org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.LoaderHidingWebResourceSet#listWebAppPaths

this might be a candidate for a first-timers-only issue

[adavid9]

Closed above PR as I missed up to configure the codeStyleConfig.xml If you don't mind I will create new PR when configure all of those things.

[snicoll]

@adavid9 there is no need to create another PR, please push additional commits on your branch and the existing PR will be updated automatically.

[adavid9]

I had to close previously PR, because I did not create it on a separate branch I missed it somehow, sorry.

[snicoll]

No problem @adavid9 and thanks for your efforts!

[wilkinsona]

Closing in favour of #17538.