@Override public Mono<Resource> resolveResource(@Nullable ServerWebExchange exchange, String requestPath, List<? extends Resource> locations) { return (this.resolver != null && this.nextChain != null ? this.resolver.resolveResource(exchange, requestPath, locations, this.nextChain) : Mono.empty()); }
@Test public void testInvalidPath() throws Exception { // Use mock ResourceResolver: i.e. we're only testing upfront validations... Resource resource = mock(Resource.class); when(resource.getFilename()).thenThrow(new AssertionError("Resource should not be resolved")); when(resource.getInputStream()).thenThrow(new AssertionError("Resource should not be resolved")); ResourceResolver resolver = mock(ResourceResolver.class); when(resolver.resolveResource(any(), any(), any(), any())).thenReturn(Mono.just(resource)); ResourceWebHandler handler = new ResourceWebHandler(); handler.setLocations(Collections.singletonList(new ClassPathResource("test/", getClass()))); handler.setResourceResolvers(Collections.singletonList(resolver)); handler.afterPropertiesSet(); testInvalidPath("../testsecret/secret.txt", handler); testInvalidPath("test/../../testsecret/secret.txt", handler); testInvalidPath(":/../../testsecret/secret.txt", handler); Resource location = new UrlResource(getClass().getResource("./test/")); this.handler.setLocations(Collections.singletonList(location)); Resource secretResource = new UrlResource(getClass().getResource("testsecret/secret.txt")); String secretPath = secretResource.getURL().getPath(); testInvalidPath("file:" + secretPath, handler); testInvalidPath("/file:" + secretPath, handler); testInvalidPath("url:" + secretPath, handler); testInvalidPath("/url:" + secretPath, handler); testInvalidPath("/../.." + secretPath, handler); testInvalidPath("/%2E%2E/testsecret/secret.txt", handler); testInvalidPath("/%2E%2E/testsecret/secret.txt", handler); testInvalidPath("%2F%2F%2E%2E%2F%2F%2E%2E" + secretPath, handler); }
@Override public Mono<Resource> resolveResource(ServerWebExchange exchange, String requestPath, List<? extends Resource> locations) { ResourceResolver resolver = getNext(); if (resolver == null) { return null; } try { return resolver.resolveResource(exchange, requestPath, locations, this); } finally { this.index--; } }