Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12208 from jetty/jetty-12.0.x-11434-AliasCheckerSymlinkTests 

Issue #11434 - resolve differences in AliasCheckerSymlinkTests
This commit is contained in:
Lachlan 2024-09-03 10:02:56 +10:00 committed by GitHub
parent 551710e9bb 4164ab782b
commit 899c005e34
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
20 changed files with 386 additions and 527 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java
View File

@ -1074,6 +1074,12 @@ public class ContextHandler extends Handler.Wrapper implements Attributes, Alias
protected boolean handleByContextHandler(String pathInContext, ContextRequest request, Response response, Callback callback) protected boolean handleByContextHandler(String pathInContext, ContextRequest request, Response response, Callback callback)
{ {
if (isProtectedTarget(pathInContext))
{
Response.writeError(request, response, callback, HttpStatus.NOT_FOUND_404, null);
return true;
}
return false; return false;
} }

9
jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletContextHandler.java
View File

@ -62,7 +62,6 @@ import jakarta.servlet.descriptor.JspPropertyGroupDescriptor;
import jakarta.servlet.descriptor.TaglibDescriptor; import jakarta.servlet.descriptor.TaglibDescriptor;
import jakarta.servlet.http.HttpServlet; import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSessionActivationListener; import jakarta.servlet.http.HttpSessionActivationListener;
import jakarta.servlet.http.HttpSessionAttributeListener; import jakarta.servlet.http.HttpSessionAttributeListener;
import jakarta.servlet.http.HttpSessionBindingListener; import jakarta.servlet.http.HttpSessionBindingListener;
@ -1191,12 +1190,8 @@ public class ServletContextHandler extends ContextHandler
protected boolean handleByContextHandler(String pathInContext, ContextRequest request, Response response, Callback callback) protected boolean handleByContextHandler(String pathInContext, ContextRequest request, Response response, Callback callback)
{ {
boolean initialDispatch = request instanceof ServletContextRequest; boolean initialDispatch = request instanceof ServletContextRequest;
if (initialDispatch && isProtectedTarget(pathInContext)) if (!initialDispatch)
{ return false;
Response.writeError(request, response, callback, HttpServletResponse.SC_NOT_FOUND, null);
return true;
}
return super.handleByContextHandler(pathInContext, request, response, callback); return super.handleByContextHandler(pathInContext, request, response, callback);
} }

324
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/java/org/eclipse/jetty/ee10/test/AliasCheckerSymlinkTest.java
View File

@ -1,324 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
//
// This program and the accompanying materials are made available under the
// terms of the Eclipse Public License v. 2.0 which is available at
// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
// which is available at https://www.apache.org/licenses/LICENSE-2.0.
//
// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
// ========================================================================
//
package org.eclipse.jetty.ee10.test;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Stream;
import org.eclipse.jetty.client.ContentResponse;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.ee10.servlet.DefaultServlet;
import org.eclipse.jetty.ee10.servlet.ServletContextHandler;
import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.server.AliasCheck;
import org.eclipse.jetty.server.AllowedResourceAliasChecker;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SymlinkAllowedResourceAliasChecker;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.server.handler.HotSwapHandler;
import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.resource.ResourceFactory;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import static org.junit.jupiter.api.Assertions.assertNotNull;
public class AliasCheckerSymlinkTest
{
private static Server _server;
private static ServerConnector _connector;
private static HttpClient _client;
private static HotSwapHandler _hotSwapHandler;
private static ServletContextHandler _context1;
private static ServletContextHandler _context2;
private static final List<Path> _createdFiles = new ArrayList<>();
private static Path getResource(String path) throws Exception
{
URL url = AliasCheckerSymlinkTest.class.getClassLoader().getResource(path);
assertNotNull(url);
return new File(url.toURI()).toPath();
}
private static void delete(Path path)
{
IO.delete(path.toFile());
}
private static void setAliasChecker(ContextHandler contextHandler, AliasCheck aliasChecker) throws Exception
{
_hotSwapHandler.setHandler(contextHandler);
contextHandler.clearAliasChecks();
if (aliasChecker != null)
contextHandler.addAliasCheck(aliasChecker);
}
private static void createSymbolicLink(Path symlinkFile, Path target) throws IOException
{
delete(symlinkFile);
_createdFiles.add(symlinkFile);
Files.createSymbolicLink(symlinkFile, target).toFile().deleteOnExit();
}
@BeforeAll
public static void beforeAll() throws Exception
{
Path webRootPath = getResource("webroot");
Path combinedPath = getResource("combined");
// Create symlink file that targets inside the webroot directory.
createSymbolicLink(
webRootPath.resolve("symlinkFile"),
webRootPath.resolve("file"));
// Create symlink file that targets outside the webroot directory.
createSymbolicLink(
webRootPath.resolve("symlinkExternalFile"),
getResource("file"));
// Symlink to a directory inside the webroot.
createSymbolicLink(
webRootPath.resolve("symlinkDir"),
webRootPath.resolve("documents"));
// Symlink to a directory parent of the webroot.
createSymbolicLink(
webRootPath.resolve("symlinkParentDir"),
webRootPath.resolve(".."));
// Symlink to a directory outside the webroot.
createSymbolicLink(
webRootPath.resolve("symlinkSiblingDir"),
webRootPath.resolve("../sibling"));
// Symlink to the WEB-INF directory.
createSymbolicLink(
webRootPath.resolve("webInfSymlink"),
webRootPath.resolve("WEB-INF"));
// Symlink file from the combined resource dir to the webroot.
createSymbolicLink(
combinedPath.resolve("combinedSymlinkFile"),
webRootPath.resolve("file"));
// Symlink file from the combined resource dir to the webroot WEB-INF.
createSymbolicLink(
combinedPath.resolve("combinedWebInfSymlink"),
webRootPath.resolve("WEB-INF"));
// Symlink file from the combined resource dir to outside the webroot.
createSymbolicLink(
combinedPath.resolve("externalCombinedSymlinkFile"),
webRootPath.resolve("../sibling"));
// Create and start Server and Client.
_server = new Server();
_server.setDynamic(true);
_connector = new ServerConnector(_server);
_server.addConnector(_connector);
_hotSwapHandler = new HotSwapHandler();
_server.setHandler(_hotSwapHandler);
// Standard tests.
_context1 = new ServletContextHandler();
_context1.setContextPath("/");
_context1.setBaseResourceAsPath(webRootPath);
_context1.setWelcomeFiles(new String[]{"index.html"});
_context1.setProtectedTargets(new String[]{"/WEB-INF", "/META-INF"});
_context1.getMimeTypes().addMimeMapping("txt", "text/plain;charset=utf-8");
_context1.addServlet(DefaultServlet.class, "/");
_context1.clearAliasChecks();
// CombinedResource tests.
ResourceFactory resourceFactory = ResourceFactory.of(_server);
Resource resource = ResourceFactory.combine(
resourceFactory.newResource(webRootPath),
resourceFactory.newResource(getResource("combined")));
_context2 = new ServletContextHandler();
_context2.setContextPath("/");
_context2.setBaseResource(resource);
_context2.setWelcomeFiles(new String[]{"index.html"});
_context2.setProtectedTargets(new String[]{"/WEB-INF", "/META-INF"});
_context2.getMimeTypes().addMimeMapping("txt", "text/plain;charset=utf-8");
_context2.addServlet(DefaultServlet.class, "/");
_context2.clearAliasChecks();
_server.start();
_client = new HttpClient();
_client.start();
}
@AfterAll
public static void afterAll() throws Exception
{
// Try to delete all files now so that the symlinks do not confuse other tests.
for (Path p : _createdFiles)
{
try
{
Files.delete(p);
}
catch (Throwable t)
{
// Ignored.
}
}
_createdFiles.clear();
_client.stop();
_server.stop();
}
private static class ApproveAliases implements AliasCheck
{
@Override
public boolean checkAlias(String pathInContext, Resource resource)
{
return true;
}
}
public static Stream<Arguments> testCases()
{
return testCases(_context1);
}
public static Stream<Arguments> testCases(ContextHandler context)
{
AllowedResourceAliasChecker allowedResource = new AllowedResourceAliasChecker(context);
SymlinkAllowedResourceAliasChecker symlinkAllowedResource = new SymlinkAllowedResourceAliasChecker(context);
ApproveAliases approveAliases = new ApproveAliases();
return Stream.of(
// AllowedResourceAliasChecker that checks the target of symlinks.
Arguments.of(allowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."),
Arguments.of(allowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null),
// SymlinkAllowedResourceAliasChecker that does not check the target of symlinks, but only approves files obtained through a symlink.
Arguments.of(symlinkAllowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(symlinkAllowedResource, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."),
Arguments.of(symlinkAllowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."),
Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
Arguments.of(symlinkAllowedResource, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
Arguments.of(symlinkAllowedResource, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
// The ApproveAliases (approves everything regardless).
Arguments.of(approveAliases, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(approveAliases, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."),
Arguments.of(approveAliases, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."),
Arguments.of(approveAliases, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(approveAliases, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
Arguments.of(approveAliases, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
Arguments.of(approveAliases, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
// No alias checker (any symlink should be an alias).
Arguments.of(null, "/symlinkFile", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkDir/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkParentDir/webroot/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null),
// We should only be able to list contents of a symlinked directory if the alias checker is installed.
Arguments.of(null, "/symlinkDir", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/symlinkDir", HttpStatus.OK_200, null)
);
}
public static Stream<Arguments> combinedResourceTestCases()
{
AllowedResourceAliasChecker allowedResource = new AllowedResourceAliasChecker(_context2);
SymlinkAllowedResourceAliasChecker symlinkAllowedResource = new SymlinkAllowedResourceAliasChecker(_context2);
Stream<Arguments> combinedResourceTests = Stream.of(
Arguments.of(allowedResource, "/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/combinedFile", HttpStatus.OK_200, "This is a file in the combined resource dir."),
Arguments.of(allowedResource, "/WEB-INF/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/files", HttpStatus.OK_200, "Directory: /files/|/files/file1|/files/file2"),
Arguments.of(allowedResource, "/files/file1", HttpStatus.OK_200, "file1 from combined dir"),
Arguments.of(allowedResource, "/files/file2", HttpStatus.OK_200, "file1 from webroot"),
Arguments.of(allowedResource, "/combinedSymlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/externalCombinedSymlinkFile/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/combinedWebInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(symlinkAllowedResource, "/combinedSymlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(symlinkAllowedResource, "/externalCombinedSymlinkFile/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
Arguments.of(symlinkAllowedResource, "/combinedWebInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file.")
);
return Stream.concat(testCases(_context2), combinedResourceTests);
}
@ParameterizedTest
@MethodSource("testCases")
public void test(AliasCheck aliasChecker, String path, int httpStatus, String responseContent) throws Exception
{
setAliasChecker(_context1, aliasChecker);
URI uri = URI.create("http://localhost:" + _connector.getLocalPort() + path);
ContentResponse response = _client.GET(uri);
assertThat(response.getStatus(), is(httpStatus));
if (responseContent != null)
assertThat(response.getContentAsString(), is(responseContent));
}
@ParameterizedTest
@MethodSource("combinedResourceTestCases")
public void testCombinedResource(AliasCheck aliasChecker, String path, int httpStatus, String responseContent) throws Exception
{
setAliasChecker(_context2, aliasChecker);
URI uri = URI.create("http://localhost:" + _connector.getLocalPort() + path);
ContentResponse response = _client.GET(uri);
assertThat(response.getStatus(), is(httpStatus));
if (responseContent != null)
{
if (responseContent.contains("|"))
{
for (String s : responseContent.split("\\|"))
{
assertThat("Could not find " + s, response.getContentAsString(), containsString(s));
}
}
else
{
assertThat(response.getContentAsString(), equalTo(responseContent));
}
}
}
}

1
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/altDir1/file1
View File

@ -1 +0,0 @@
file 1 contents

1
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/altDir2/file2
View File

@ -1 +0,0 @@
file 2 contents

1
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/sibling/file
View File

@ -1 +0,0 @@
This file is inside a sibling dir to webroot.

1
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/webroot/WEB-INF/web.xml
View File

@ -1 +0,0 @@
This is the web.xml file.

1
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/webroot/documents/file
View File

@ -1 +0,0 @@
This file is inside webroot/documents.

1
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/webroot/file
View File

@ -1 +0,0 @@
This file is inside webroot.

4
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/webroot/index.html
View File

@ -1,4 +0,0 @@
<html>
<h1>hello world</h1>
<p>body of index.html</p>
</html>

277
jetty-ee9/jetty-ee9-tests/jetty-ee9-test-integration/src/test/java/org/eclipse/jetty/ee9/test/AliasCheckerSymlinkTest.java
View File

@ -14,10 +14,13 @@
package org.eclipse.jetty.ee9.test; package org.eclipse.jetty.ee9.test;
import java.io.File; import java.io.File;
import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.net.URL; import java.net.URL;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Stream; import java.util.stream.Stream;
import org.eclipse.jetty.client.ContentResponse; import org.eclipse.jetty.client.ContentResponse;
@ -30,8 +33,10 @@ import org.eclipse.jetty.server.AllowedResourceAliasChecker;
import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SymlinkAllowedResourceAliasChecker; import org.eclipse.jetty.server.SymlinkAllowedResourceAliasChecker;
import org.eclipse.jetty.server.handler.HotSwapHandler;
import org.eclipse.jetty.util.IO; import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.resource.Resource; import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.resource.ResourceFactory;
import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.ParameterizedTest;
@ -39,6 +44,8 @@ import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource; import org.junit.jupiter.params.provider.MethodSource;
import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNotNull;
@ -47,15 +54,11 @@ public class AliasCheckerSymlinkTest
private static Server _server; private static Server _server;
private static ServerConnector _connector; private static ServerConnector _connector;
private static HttpClient _client; private static HttpClient _client;
private static ServletContextHandler _context; private static HotSwapHandler _hotSwapHandler;
private static ServletContextHandler _context1;
private static ServletContextHandler _context2;
private static Path _symlinkFile; private static final List<Path> _createdFiles = new ArrayList<>();
private static Path _symlinkExternalFile;
private static Path _symlinkDir;
private static Path _symlinkParentDir;
private static Path _symlinkSiblingDir;
private static Path _webInfSymlink;
private static Path _webrootSymlink;
private static Path getResource(String path) throws Exception private static Path getResource(String path) throws Exception
{ {
@ -69,69 +72,102 @@ public class AliasCheckerSymlinkTest
IO.delete(path.toFile()); IO.delete(path.toFile());
} }
private static void setAliasChecker(AliasCheck aliasChecker) private static void setAliasChecker(ServletContextHandler contextHandler, AliasCheck aliasChecker) throws Exception
{ {
_context.clearAliasChecks(); _hotSwapHandler.setHandler(contextHandler);
contextHandler.clearAliasChecks();
if (aliasChecker != null) if (aliasChecker != null)
_context.addAliasCheck(aliasChecker); contextHandler.addAliasCheck(aliasChecker);
}
private static void createSymbolicLink(Path symlinkFile, Path target) throws IOException
{
delete(symlinkFile);
_createdFiles.add(symlinkFile);
Files.createSymbolicLink(symlinkFile, target).toFile().deleteOnExit();
} }
@BeforeAll @BeforeAll
public static void beforeAll() throws Exception public static void beforeAll() throws Exception
{ {
Path webRootPath = getResource("webroot"); Path webRootPath = getResource("webroot");
Path fileInWebroot = webRootPath.resolve("file"); Path combinedPath = getResource("combined");
// Create symlink file that targets inside the webroot directory. // Create symlink file that targets inside the webroot directory.
_symlinkFile = webRootPath.resolve("symlinkFile"); createSymbolicLink(
delete(_symlinkFile); webRootPath.resolve("symlinkFile"),
Files.createSymbolicLink(_symlinkFile, fileInWebroot).toFile().deleteOnExit(); webRootPath.resolve("file"));
// Create symlink file that targets outside the webroot directory. // Create symlink file that targets outside the webroot directory.
_symlinkExternalFile = webRootPath.resolve("symlinkExternalFile"); createSymbolicLink(
delete(_symlinkExternalFile); webRootPath.resolve("symlinkExternalFile"),
Files.createSymbolicLink(_symlinkExternalFile, getResource("file")).toFile().deleteOnExit(); getResource("file"));
// Symlink to a directory inside of the webroot. // Symlink to a directory inside the webroot.
_symlinkDir = webRootPath.resolve("symlinkDir"); createSymbolicLink(
delete(_symlinkDir); webRootPath.resolve("symlinkDir"),
Files.createSymbolicLink(_symlinkDir, webRootPath.resolve("documents")).toFile().deleteOnExit(); webRootPath.resolve("documents"));
// Symlink to a directory parent of the webroot. // Symlink to a directory parent of the webroot.
_symlinkParentDir = webRootPath.resolve("symlinkParentDir"); createSymbolicLink(
delete(_symlinkParentDir); webRootPath.resolve("symlinkParentDir"),
Files.createSymbolicLink(_symlinkParentDir, webRootPath.resolve("..")).toFile().deleteOnExit(); webRootPath.resolve(".."));
// Symlink to a directory outside of the webroot. // Symlink to a directory outside the webroot.
_symlinkSiblingDir = webRootPath.resolve("symlinkSiblingDir"); createSymbolicLink(
delete(_symlinkSiblingDir); webRootPath.resolve("symlinkSiblingDir"),
Files.createSymbolicLink(_symlinkSiblingDir, webRootPath.resolve("../sibling")).toFile().deleteOnExit(); webRootPath.resolve("../sibling"));
// Symlink to the WEB-INF directory. // Symlink to the WEB-INF directory.
_webInfSymlink = webRootPath.resolve("webInfSymlink"); createSymbolicLink(
delete(_webInfSymlink); webRootPath.resolve("webInfSymlink"),
Files.createSymbolicLink(_webInfSymlink, webRootPath.resolve("WEB-INF")).toFile().deleteOnExit(); webRootPath.resolve("WEB-INF"));
// Symlink file from the combined resource dir to the webroot.
createSymbolicLink(
combinedPath.resolve("combinedSymlinkFile"),
webRootPath.resolve("file"));
// Symlink file from the combined resource dir to the webroot WEB-INF.
createSymbolicLink(
combinedPath.resolve("combinedWebInfSymlink"),
webRootPath.resolve("WEB-INF"));
// Symlink file from the combined resource dir to outside the webroot.
createSymbolicLink(
combinedPath.resolve("externalCombinedSymlinkFile"),
webRootPath.resolve("../sibling"));
// External symlink to webroot.
_webrootSymlink = webRootPath.resolve("../webrootSymlink");
delete(_webrootSymlink);
Files.createSymbolicLink(_webrootSymlink, webRootPath).toFile().deleteOnExit();
// Create and start Server and Client. // Create and start Server and Client.
_server = new Server(); _server = new Server();
_server.setDynamic(true);
_connector = new ServerConnector(_server); _connector = new ServerConnector(_server);
_server.addConnector(_connector); _server.addConnector(_connector);
_context = new ServletContextHandler(); _hotSwapHandler = new HotSwapHandler();
_context.setContextPath("/"); _server.setHandler(_hotSwapHandler);
_context.setBaseResourceAsPath(webRootPath);
_context.setWelcomeFiles(new String[]{"index.html"});
_context.setProtectedTargets(new String[]{"/WEB-INF", "/META-INF"});
_context.getMimeTypes().addMimeMapping("txt", "text/plain;charset=utf-8");
_server.setHandler(_context);
_context.addServlet(DefaultServlet.class, "/");
_context.clearAliasChecks();
_server.start();
// Standard tests.
_context1 = new ServletContextHandler();
_context1.setContextPath("/");
_context1.setBaseResourceAsPath(webRootPath);
_context1.setProtectedTargets(new String[]{"/WEB-INF", "/META-INF"});
_context1.addServlet(DefaultServlet.class, "/");
_context1.clearAliasChecks();
// CombinedResource tests.
ResourceFactory resourceFactory = ResourceFactory.of(_server);
Resource resource = ResourceFactory.combine(
resourceFactory.newResource(webRootPath),
resourceFactory.newResource(getResource("combined")));
_context2 = new ServletContextHandler();
_context2.setContextPath("/");
_context2.setBaseResource(resource);
_context2.setProtectedTargets(new String[]{"/WEB-INF", "/META-INF"});
_context2.addServlet(DefaultServlet.class, "/");
_context2.clearAliasChecks();
_server.start();
_client = new HttpClient(); _client = new HttpClient();
_client.start(); _client.start();
} }
@ -140,13 +176,18 @@ public class AliasCheckerSymlinkTest
public static void afterAll() throws Exception public static void afterAll() throws Exception
{ {
// Try to delete all files now so that the symlinks do not confuse other tests. // Try to delete all files now so that the symlinks do not confuse other tests.
Files.delete(_symlinkFile); for (Path p : _createdFiles)
Files.delete(_symlinkExternalFile); {
Files.delete(_symlinkDir); try
Files.delete(_symlinkParentDir); {
Files.delete(_symlinkSiblingDir); Files.delete(p);
Files.delete(_webInfSymlink); }
Files.delete(_webrootSymlink); catch (Throwable t)
{
// Ignored.
}
}
_createdFiles.clear();
_client.stop(); _client.stop();
_server.stop(); _server.stop();
@ -160,61 +201,119 @@ public class AliasCheckerSymlinkTest
return true; return true;
} }
} }
public static Stream<Arguments> testCases() public static Stream<Arguments> testCases()
{ {
AllowedResourceAliasChecker allowedResource = new AllowedResourceAliasChecker(_context.getCoreContextHandler()); return testCases(_context1);
SymlinkAllowedResourceAliasChecker symlinkAllowedResource = new SymlinkAllowedResourceAliasChecker(_context.getCoreContextHandler()); }
public static Stream<Arguments> testCases(ServletContextHandler context)
{
AllowedResourceAliasChecker allowedResource = new AllowedResourceAliasChecker(context.getCoreContextHandler());
SymlinkAllowedResourceAliasChecker symlinkAllowedResource = new SymlinkAllowedResourceAliasChecker(context.getCoreContextHandler());
ApproveAliases approveAliases = new ApproveAliases(); ApproveAliases approveAliases = new ApproveAliases();
return Stream.of( return Stream.of(
// AllowedResourceAliasChecker that checks the target of symlinks. // AllowedResourceAliasChecker that checks the target of symlinks.
Arguments.of(allowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(allowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null), Arguments.of(allowedResource, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."), Arguments.of(allowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."),
Arguments.of(allowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(allowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null), Arguments.of(allowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null), Arguments.of(allowedResource, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null), Arguments.of(allowedResource, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null),
// SymlinkAllowedResourceAliasChecker that does not check the target of symlinks, but only approves files obtained through a symlink. // SymlinkAllowedResourceAliasChecker that does not check the target of symlinks, but only approves files obtained through a symlink.
Arguments.of(symlinkAllowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(symlinkAllowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(symlinkAllowedResource, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."), Arguments.of(symlinkAllowedResource, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."),
Arguments.of(symlinkAllowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."), Arguments.of(symlinkAllowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."),
Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."), Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
Arguments.of(symlinkAllowedResource, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."), Arguments.of(symlinkAllowedResource, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
Arguments.of(symlinkAllowedResource, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."), Arguments.of(symlinkAllowedResource, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
// The ApproveAliases (approves everything regardless). // The ApproveAliases (approves everything regardless).
Arguments.of(approveAliases, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(approveAliases, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(approveAliases, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."), Arguments.of(approveAliases, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."),
Arguments.of(approveAliases, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."), Arguments.of(approveAliases, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."),
Arguments.of(approveAliases, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(approveAliases, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(approveAliases, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."), Arguments.of(approveAliases, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
Arguments.of(approveAliases, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."), Arguments.of(approveAliases, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
Arguments.of(approveAliases, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."), Arguments.of(approveAliases, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
// No alias checker (any symlink should be an alias). // No alias checker (any symlink should be an alias).
Arguments.of(null, "/symlinkFile", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkFile", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkDir/file", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkDir/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkParentDir/webroot/file", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkParentDir/webroot/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null) Arguments.of(null, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null),
// We should only be able to list contents of a symlinked directory if the alias checker is installed.
Arguments.of(null, "/symlinkDir", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/symlinkDir", HttpStatus.OK_200, null)
); );
} }
public static Stream<Arguments> combinedResourceTestCases()
{
AllowedResourceAliasChecker allowedResource = new AllowedResourceAliasChecker(_context2.getCoreContextHandler());
SymlinkAllowedResourceAliasChecker symlinkAllowedResource = new SymlinkAllowedResourceAliasChecker(_context2.getCoreContextHandler());
Stream<Arguments> combinedResourceTests = Stream.of(
Arguments.of(allowedResource, "/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/combinedFile", HttpStatus.OK_200, "This is a file in the combined resource dir."),
Arguments.of(allowedResource, "/WEB-INF/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/files", HttpStatus.OK_200, "Directory: /files/|/files/file1|/files/file2"),
Arguments.of(allowedResource, "/files/file1", HttpStatus.OK_200, "file1 from combined dir"),
Arguments.of(allowedResource, "/files/file2", HttpStatus.OK_200, "file1 from webroot"),
Arguments.of(allowedResource, "/combinedSymlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/externalCombinedSymlinkFile/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/combinedWebInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(symlinkAllowedResource, "/combinedSymlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(symlinkAllowedResource, "/externalCombinedSymlinkFile/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
Arguments.of(symlinkAllowedResource, "/combinedWebInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file.")
);
return Stream.concat(testCases(_context2), combinedResourceTests);
}
@ParameterizedTest @ParameterizedTest
@MethodSource("testCases") @MethodSource("testCases")
public void test(AliasCheck aliasChecker, String path, int httpStatus, String responseContent) throws Exception public void test(AliasCheck aliasChecker, String path, int httpStatus, String responseContent) throws Exception
{ {
setAliasChecker(aliasChecker); setAliasChecker(_context1, aliasChecker);
URI uri = URI.create("http://localhost:" + _connector.getLocalPort() + path); URI uri = URI.create("http://localhost:" + _connector.getLocalPort() + path);
ContentResponse response = _client.GET(uri); ContentResponse response = _client.GET(uri);
assertThat(response.getStatus(), is(httpStatus)); assertThat(response.getStatus(), is(httpStatus));
if (responseContent != null) if (responseContent != null)
assertThat(response.getContentAsString(), is(responseContent)); assertThat(response.getContentAsString(), is(responseContent));
} }
@ParameterizedTest
@MethodSource("combinedResourceTestCases")
public void testCombinedResource(AliasCheck aliasChecker, String path, int httpStatus, String responseContent) throws Exception
{
setAliasChecker(_context2, aliasChecker);
URI uri = URI.create("http://localhost:" + _connector.getLocalPort() + path);
ContentResponse response = _client.GET(uri);
assertThat(response.getStatus(), is(httpStatus));
if (responseContent != null)
{
if (responseContent.contains("|"))
{
for (String s : responseContent.split("\\|"))
{
assertThat("Could not find " + s, response.getContentAsString(), containsString(s));
}
}
else
{
assertThat(response.getContentAsString(), equalTo(responseContent));
}
}
}
} }

0
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/combined/WEB-INF/file → jetty-ee9/jetty-ee9-tests/jetty-ee9-test-integration/src/test/resources/combined/WEB-INF/file
View File

0
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/combined/combinedFile → jetty-ee9/jetty-ee9-tests/jetty-ee9-test-integration/src/test/resources/combined/combinedFile
View File

0
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/combined/files/file1 → jetty-ee9/jetty-ee9-tests/jetty-ee9-test-integration/src/test/resources/combined/files/file1
View File

0
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-integration/src/test/resources/webroot/files/file2 → jetty-ee9/jetty-ee9-tests/jetty-ee9-test-integration/src/test/resources/webroot/files/file2
View File

283
tests/test-integration/src/test/java/org/eclipse/jetty/test/AliasCheckerSymlinkTest.java
View File

@ -14,10 +14,13 @@
package org.eclipse.jetty.test; package org.eclipse.jetty.test;
import java.io.File; import java.io.File;
import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.net.URL; import java.net.URL;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Stream; import java.util.stream.Stream;
import org.eclipse.jetty.client.ContentResponse; import org.eclipse.jetty.client.ContentResponse;
@ -29,9 +32,11 @@ import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SymlinkAllowedResourceAliasChecker; import org.eclipse.jetty.server.SymlinkAllowedResourceAliasChecker;
import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.server.handler.HotSwapHandler;
import org.eclipse.jetty.server.handler.ResourceHandler; import org.eclipse.jetty.server.handler.ResourceHandler;
import org.eclipse.jetty.util.IO; import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.resource.Resource; import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.resource.ResourceFactory;
import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.ParameterizedTest;
@ -39,6 +44,8 @@ import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource; import org.junit.jupiter.params.provider.MethodSource;
import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNotNull;
@ -47,16 +54,11 @@ public class AliasCheckerSymlinkTest
private static Server _server; private static Server _server;
private static ServerConnector _connector; private static ServerConnector _connector;
private static HttpClient _client; private static HttpClient _client;
private static ContextHandler _context; private static HotSwapHandler _hotSwapHandler;
private static ContextHandler _context1;
private static ContextHandler _context2;
private static Path _symlinkFile; private static final List<Path> _createdFiles = new ArrayList<>();
private static Path _symlinkExternalFile;
private static Path _symlinkDir;
private static Path _symlinkParentDir;
private static Path _symlinkSiblingDir;
private static Path _webInfSymlink;
private static Path _webrootSymlink;
private static Path _protectedFile;
private static Path getResource(String path) throws Exception private static Path getResource(String path) throws Exception
{ {
@ -70,73 +72,102 @@ public class AliasCheckerSymlinkTest
IO.delete(path.toFile()); IO.delete(path.toFile());
} }
private static void setAliasChecker(AliasCheck aliasChecker) private static void setAliasChecker(ContextHandler contextHandler, AliasCheck aliasChecker) throws Exception
{ {
_context.clearAliasChecks(); _hotSwapHandler.setHandler(contextHandler);
contextHandler.clearAliasChecks();
if (aliasChecker != null) if (aliasChecker != null)
_context.addAliasCheck(aliasChecker); contextHandler.addAliasCheck(aliasChecker);
}
private static void createSymbolicLink(Path symlinkFile, Path target) throws IOException
{
delete(symlinkFile);
_createdFiles.add(symlinkFile);
Files.createSymbolicLink(symlinkFile, target).toFile().deleteOnExit();
} }
@BeforeAll @BeforeAll
public static void beforeAll() throws Exception public static void beforeAll() throws Exception
{ {
Path webRootPath = getResource("webroot"); Path webRootPath = getResource("webroot");
Path fileInWebroot = webRootPath.resolve("file"); Path combinedPath = getResource("combined");
// Create symlink file that targets inside the webroot directory. // Create symlink file that targets inside the webroot directory.
_symlinkFile = webRootPath.resolve("symlinkFile"); createSymbolicLink(
delete(_symlinkFile); webRootPath.resolve("symlinkFile"),
Files.createSymbolicLink(_symlinkFile, fileInWebroot).toFile().deleteOnExit(); webRootPath.resolve("file"));
// Create symlink file that targets outside the webroot directory. // Create symlink file that targets outside the webroot directory.
_symlinkExternalFile = webRootPath.resolve("symlinkExternalFile"); createSymbolicLink(
delete(_symlinkExternalFile); webRootPath.resolve("symlinkExternalFile"),
Files.createSymbolicLink(_symlinkExternalFile, getResource("file")).toFile().deleteOnExit(); getResource("file"));
// Symlink to a directory inside of the webroot. // Symlink to a directory inside the webroot.
_symlinkDir = webRootPath.resolve("symlinkDir"); createSymbolicLink(
delete(_symlinkDir); webRootPath.resolve("symlinkDir"),
Files.createSymbolicLink(_symlinkDir, webRootPath.resolve("documents")).toFile().deleteOnExit(); webRootPath.resolve("documents"));
// Symlink to a directory parent of the webroot. // Symlink to a directory parent of the webroot.
_symlinkParentDir = webRootPath.resolve("symlinkParentDir"); createSymbolicLink(
delete(_symlinkParentDir); webRootPath.resolve("symlinkParentDir"),
Files.createSymbolicLink(_symlinkParentDir, webRootPath.resolve("..")).toFile().deleteOnExit(); webRootPath.resolve(".."));
// Symlink to a directory outside of the webroot. // Symlink to a directory outside the webroot.
_symlinkSiblingDir = webRootPath.resolve("symlinkSiblingDir"); createSymbolicLink(
delete(_symlinkSiblingDir); webRootPath.resolve("symlinkSiblingDir"),
Files.createSymbolicLink(_symlinkSiblingDir, webRootPath.resolve("../sibling")).toFile().deleteOnExit(); webRootPath.resolve("../sibling"));
// Symlink to the WEB-INF directory. // Symlink to the WEB-INF directory.
_webInfSymlink = webRootPath.resolve("webInfSymlink"); createSymbolicLink(
delete(_webInfSymlink); webRootPath.resolve("webInfSymlink"),
Files.createSymbolicLink(_webInfSymlink, webRootPath.resolve("WEB-INF")).toFile().deleteOnExit(); webRootPath.resolve("WEB-INF"));
// External symlink to webroot. // Symlink file from the combined resource dir to the webroot.
_webrootSymlink = webRootPath.resolve("../webrootSymlink"); createSymbolicLink(
delete(_webrootSymlink); combinedPath.resolve("combinedSymlinkFile"),
Files.createSymbolicLink(_webrootSymlink, webRootPath).toFile().deleteOnExit(); webRootPath.resolve("file"));
// Symlink file from the combined resource dir to the webroot WEB-INF.
createSymbolicLink(
combinedPath.resolve("combinedWebInfSymlink"),
webRootPath.resolve("WEB-INF"));
// Symlink file from the combined resource dir to outside the webroot.
createSymbolicLink(
combinedPath.resolve("externalCombinedSymlinkFile"),
webRootPath.resolve("../sibling"));
// PROTECTED is a symlink to a file outside webroot.
_protectedFile = webRootPath.resolve("PROTECTED");
IO.delete(_protectedFile);
Files.createSymbolicLink(_protectedFile, webRootPath.resolve("../sibling/file")).toFile().deleteOnExit();
// Create and start Server and Client. // Create and start Server and Client.
_server = new Server(); _server = new Server();
_server.setDynamic(true);
_connector = new ServerConnector(_server); _connector = new ServerConnector(_server);
_server.addConnector(_connector); _server.addConnector(_connector);
_context = new ContextHandler(); _hotSwapHandler = new HotSwapHandler();
_context.setContextPath("/"); _server.setHandler(_hotSwapHandler);
_context.setBaseResourceAsPath(webRootPath);
_context.setProtectedTargets(new String[]{"/WEB-INF", "/META-INF", "/PROTECTED"}); // Standard tests.
_context.setHandler(new ResourceHandler()); _context1 = new ContextHandler();
_context1.setContextPath("/");
_context1.setBaseResourceAsPath(webRootPath);
_context1.setProtectedTargets(new String[]{"/WEB-INF", "/META-INF"});
_context1.setHandler(new ResourceHandler());
_context1.clearAliasChecks();
// CombinedResource tests.
ResourceFactory resourceFactory = ResourceFactory.of(_server);
Resource resource = ResourceFactory.combine(
resourceFactory.newResource(webRootPath),
resourceFactory.newResource(getResource("combined")));
_context2 = new ContextHandler();
_context2.setContextPath("/");
_context2.setBaseResource(resource);
_context2.setProtectedTargets(new String[]{"/WEB-INF", "/META-INF"});
_context2.setHandler(new ResourceHandler());
_context2.clearAliasChecks();
_server.setHandler(_context);
_context.clearAliasChecks();
_server.start(); _server.start();
_client = new HttpClient(); _client = new HttpClient();
_client.start(); _client.start();
} }
@ -145,14 +176,18 @@ public class AliasCheckerSymlinkTest
public static void afterAll() throws Exception public static void afterAll() throws Exception
{ {
// Try to delete all files now so that the symlinks do not confuse other tests. // Try to delete all files now so that the symlinks do not confuse other tests.
Files.delete(_symlinkFile); for (Path p : _createdFiles)
Files.delete(_symlinkExternalFile); {
Files.delete(_symlinkDir); try
Files.delete(_symlinkParentDir); {
Files.delete(_symlinkSiblingDir); Files.delete(p);
Files.delete(_webInfSymlink); }
Files.delete(_webrootSymlink); catch (Throwable t)
Files.delete(_protectedFile); {
// Ignored.
}
}
_createdFiles.clear();
_client.stop(); _client.stop();
_server.stop(); _server.stop();
@ -169,62 +204,116 @@ public class AliasCheckerSymlinkTest
public static Stream<Arguments> testCases() public static Stream<Arguments> testCases()
{ {
AllowedResourceAliasChecker allowedResource = new AllowedResourceAliasChecker(_context); return testCases(_context1);
SymlinkAllowedResourceAliasChecker symlinkAllowedResource = new SymlinkAllowedResourceAliasChecker(_context); }
public static Stream<Arguments> testCases(ContextHandler context)
{
AllowedResourceAliasChecker allowedResource = new AllowedResourceAliasChecker(context);
SymlinkAllowedResourceAliasChecker symlinkAllowedResource = new SymlinkAllowedResourceAliasChecker(context);
ApproveAliases approveAliases = new ApproveAliases(); ApproveAliases approveAliases = new ApproveAliases();
return Stream.of( return Stream.of(
// AllowedResourceAliasChecker that checks the target of symlinks. // AllowedResourceAliasChecker that checks the target of symlinks.
Arguments.of(allowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(allowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null), Arguments.of(allowedResource, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."), Arguments.of(allowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."),
Arguments.of(allowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(allowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null), Arguments.of(allowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null), Arguments.of(allowedResource, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null), Arguments.of(allowedResource, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/PROTECTED", HttpStatus.NOT_FOUND_404, null),
// SymlinkAllowedResourceAliasChecker that does not check the target of symlinks, but only approves files obtained through a symlink. // SymlinkAllowedResourceAliasChecker that does not check the target of symlinks, but only approves files obtained through a symlink.
Arguments.of(symlinkAllowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(symlinkAllowedResource, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(symlinkAllowedResource, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."), Arguments.of(symlinkAllowedResource, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."),
Arguments.of(symlinkAllowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."), Arguments.of(symlinkAllowedResource, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."),
Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."), Arguments.of(symlinkAllowedResource, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
Arguments.of(symlinkAllowedResource, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."), Arguments.of(symlinkAllowedResource, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
Arguments.of(symlinkAllowedResource, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."), Arguments.of(symlinkAllowedResource, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
Arguments.of(symlinkAllowedResource, "/PROTECTED", HttpStatus.NOT_FOUND_404, null),
// The ApproveAliases (approves everything regardless). // The ApproveAliases (approves everything regardless).
Arguments.of(approveAliases, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(approveAliases, "/symlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(approveAliases, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."), Arguments.of(approveAliases, "/symlinkExternalFile", HttpStatus.OK_200, "This file is outside webroot."),
Arguments.of(approveAliases, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."), Arguments.of(approveAliases, "/symlinkDir/file", HttpStatus.OK_200, "This file is inside webroot/documents."),
Arguments.of(approveAliases, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."), Arguments.of(approveAliases, "/symlinkParentDir/webroot/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(approveAliases, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."), Arguments.of(approveAliases, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
Arguments.of(approveAliases, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."), Arguments.of(approveAliases, "/symlinkSiblingDir/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
Arguments.of(approveAliases, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."), Arguments.of(approveAliases, "/webInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file."),
Arguments.of(approveAliases, "/PROTECTED", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
// No alias checker (any symlink should be an alias). // No alias checker (any symlink should be an alias).
Arguments.of(null, "/symlinkFile", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkFile", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkExternalFile", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkDir/file", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkDir/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkParentDir/webroot/file", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkParentDir/webroot/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkParentDir/webroot/WEB-INF/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/symlinkSiblingDir/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null), Arguments.of(null, "/webInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(null, "/PROTECTED", HttpStatus.NOT_FOUND_404, null)
); // We should only be able to list contents of a symlinked directory if the alias checker is installed.
Arguments.of(null, "/symlinkDir", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/symlinkDir", HttpStatus.OK_200, null)
);
}
public static Stream<Arguments> combinedResourceTestCases()
{
AllowedResourceAliasChecker allowedResource = new AllowedResourceAliasChecker(_context2);
SymlinkAllowedResourceAliasChecker symlinkAllowedResource = new SymlinkAllowedResourceAliasChecker(_context2);
Stream<Arguments> combinedResourceTests = Stream.of(
Arguments.of(allowedResource, "/file", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/combinedFile", HttpStatus.OK_200, "This is a file in the combined resource dir."),
Arguments.of(allowedResource, "/WEB-INF/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/files", HttpStatus.OK_200, "Directory: /files/|/files/file1|/files/file2"),
Arguments.of(allowedResource, "/files/file1", HttpStatus.OK_200, "file1 from combined dir"),
Arguments.of(allowedResource, "/files/file2", HttpStatus.OK_200, "file1 from webroot"),
Arguments.of(allowedResource, "/combinedSymlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(allowedResource, "/externalCombinedSymlinkFile/file", HttpStatus.NOT_FOUND_404, null),
Arguments.of(allowedResource, "/combinedWebInfSymlink/web.xml", HttpStatus.NOT_FOUND_404, null),
Arguments.of(symlinkAllowedResource, "/combinedSymlinkFile", HttpStatus.OK_200, "This file is inside webroot."),
Arguments.of(symlinkAllowedResource, "/externalCombinedSymlinkFile/file", HttpStatus.OK_200, "This file is inside a sibling dir to webroot."),
Arguments.of(symlinkAllowedResource, "/combinedWebInfSymlink/web.xml", HttpStatus.OK_200, "This is the web.xml file.")
);
return Stream.concat(testCases(_context2), combinedResourceTests);
} }
@ParameterizedTest @ParameterizedTest
@MethodSource("testCases") @MethodSource("testCases")
public void test(AliasCheck aliasChecker, String path, int httpStatus, String responseContent) throws Exception public void test(AliasCheck aliasChecker, String path, int httpStatus, String responseContent) throws Exception
{ {
setAliasChecker(aliasChecker); setAliasChecker(_context1, aliasChecker);
URI uri = URI.create("http://localhost:" + _connector.getLocalPort() + path); URI uri = URI.create("http://localhost:" + _connector.getLocalPort() + path);
ContentResponse response = _client.GET(uri); ContentResponse response = _client.GET(uri);
assertThat(response.getStatus(), is(httpStatus)); assertThat(response.getStatus(), is(httpStatus));
if (responseContent != null) if (responseContent != null)
assertThat(response.getContentAsString(), is(responseContent)); assertThat(response.getContentAsString(), is(responseContent));
} }
@ParameterizedTest
@MethodSource("combinedResourceTestCases")
public void testCombinedResource(AliasCheck aliasChecker, String path, int httpStatus, String responseContent) throws Exception
{
setAliasChecker(_context2, aliasChecker);
URI uri = URI.create("http://localhost:" + _connector.getLocalPort() + path);
ContentResponse response = _client.GET(uri);
assertThat(response.getStatus(), is(httpStatus));
if (responseContent != null)
{
if (responseContent.contains("|"))
{
for (String s : responseContent.split("\\|"))
{
assertThat("Could not find " + s, response.getContentAsString(), containsString(s));
}
}
else
{
assertThat(response.getContentAsString(), equalTo(responseContent));
}
}
}
} }

1
tests/test-integration/src/test/resources/combined/WEB-INF/file Normal file
View File

@ -0,0 +1 @@
This is in the second WEB-INF dir.

1
tests/test-integration/src/test/resources/combined/combinedFile Normal file
View File

@ -0,0 +1 @@
This is a file in the combined resource dir.

1
tests/test-integration/src/test/resources/combined/files/file1 Normal file
View File

@ -0,0 +1 @@
file1 from combined dir

1
tests/test-integration/src/test/resources/webroot/files/file2 Normal file
View File

@ -0,0 +1 @@
file1 from webroot