FilesExpand file tree

 2.x

/

Issue1639.java

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

101 lines (86 loc) · 3.23 KB

 2.x

/

Issue1639.java

Copy path

Top

File metadata and controls

• Code
• Blame

101 lines (86 loc) · 3.23 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

package io.jooby;

import io.jooby.junit.ServerTest;

import io.jooby.junit.ServerTestRunner;

import org.apache.http.client.fluent.Request;

import java.nio.file.Path;

import java.nio.file.Paths;

import static org.junit.jupiter.api.Assertions.assertEquals;

public class Issue1639 {

@ServerTest

public void shouldNotAccessToClassFromFileSystemAsset(ServerTestRunner runner) {

runner.define(app -> {

app.assets("/static/?*", userdir("src", "test", "resources", "static"));

}).ready(client -> {

client.get("/static/..%252ffiles/fileupload.js", rsp -> {

assertEquals(404, rsp.code());

});

client.get("/static/../files/fileupload.js", rsp -> {

assertEquals(404, rsp.code());

});

client.get("/static/js/index.js", rsp -> {

assertEquals("(function () { console.log('index.js');});", rsp.body().string().trim());

});

client.get("/static/io/jooby/Issue1639.js.class", rsp -> {

assertEquals(404, rsp.code());

});

client.get("/static/io/jooby/Issue1639.class", rsp -> {

assertEquals(404, rsp.code());

});

});

}

@ServerTest

public void shouldNotAccessToClassFromCpAssetSource(ServerTestRunner runner) {

runner.define(app -> {

app.assets("/static/?*", "/static");

}).ready(client -> {

client.get("/static/foo/../js/index.js", rsp -> {

assertEquals("(function () { console.log('index.js');});", rsp.body().string().trim());

});

client.get("/static/js/index.js", rsp -> {

assertEquals("(function () { console.log('index.js');});", rsp.body().string().trim());

});

client.get("/static/../io/jooby/Issue1639.class", rsp -> {

assertEquals(404, rsp.code());

});

client.get("/static/..%252fio/jooby/Issue1639.class", rsp -> {

assertEquals(404, rsp.code());

});

});

}

@ServerTest

public void shouldNotAccessToClassFromCpAssetSourceWithDifferentClient(ServerTestRunner runner) {

runner.define(app -> {

app.assets("/static/?*", "/static");

}).ready(client -> {

assertEquals(404,

Request

.Get("http://localhost:" + client.getPort() + "/static/../io/jooby/Issue1639.class")

.execute()

.returnResponse()

.getStatusLine().getStatusCode());

assertEquals("(function () { console.log('index.js');});",

Request.Get("http://localhost:" + client.getPort() + "/static/foo/../js/index.js")

.execute()

.returnContent()

.asString().trim());

assertEquals("(function () { console.log('index.js');});",

Request.Get("http://localhost:" + client.getPort() + "/static/js/index.js")

.execute()

.returnContent()

.asString().trim());

assertEquals(404,

Request.Get(

"http://localhost:" + client.getPort() + "/static/..%252fio/jooby/Issue1639.class")

.execute()

.returnResponse()

.getStatusLine().getStatusCode());

});

}

private static Path userdir(String... segments) {

Path path = Paths.get(System.getProperty("user.dir"));

for (String segment : segments) {

path = path.resolve(segment);

}

return path;

}

}