Prevent Undertow from exposing classpath files

Update `UndertowEmbeddedServletContainerFactory` so that the `ClassPathResourceManager` is no longer registered by default. Prior to this commit the resource manager would be registered whenever a valid document root could not be found. This had the effect of exposing all classpath files. Fixes spring-projectsgh-4015
vmotukuri · Oct 15, 2015 · c804299 · c804299
1 parent 5664322
commit c804299
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/...ringframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java b/...ringframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java
@@ -56,7 +56,6 @@
 import io.undertow.Undertow;
 import io.undertow.Undertow.Builder;
 import io.undertow.UndertowMessages;
-import io.undertow.server.handlers.resource.ClassPathResourceManager;
 import io.undertow.server.handlers.resource.FileResourceManager;
 import io.undertow.server.handlers.resource.Resource;
 import io.undertow.server.handlers.resource.ResourceChangeListener;
@@ -370,10 +369,7 @@ private ResourceManager getDocumentRootResourceManager() {
 		if (root != null && root.isFile()) {
 			return new JarResourcemanager(root);
 		}
-		if (this.resourceLoader != null) {
-			return new ClassPathResourceManager(this.resourceLoader.getClassLoader(), "");
-		}
-		return new ClassPathResourceManager(getClass().getClassLoader(), "");
+		return ResourceManager.EMPTY_RESOURCE_MANAGER;
 	}
 
 	private void configureErrorPages(DeploymentInfo servletBuilder) {

diff --git a/...g/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java b/...g/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
@@ -482,6 +482,17 @@ public void sslWantsClientAuthenticationSucceedsWithoutClientCertificate()
 				equalTo("test"));
 	}
 
+	@Test
+	public void cannotReadClassPathFiles() throws Exception {
+		AbstractEmbeddedServletContainerFactory factory = getFactory();
+		this.container = factory
+				.getEmbeddedServletContainer(exampleServletRegistration());
+		this.container.start();
+		ClientHttpResponse response = getClientResponse(
+				getLocalUrl("/org/springframework/boot/SpringApplication.class"));
+		assertThat(response.getStatusCode(), equalTo(HttpStatus.NOT_FOUND));
+	}
+
 	private Ssl getSsl(ClientAuth clientAuth, String keyPassword, String keyStore) {
 		return getSsl(clientAuth, keyPassword, keyStore, null);
 	}