Disallow all extensions in actuator endpoints (except .json)

Dave Syer · Dave Syer · commit 8749fc745b9e · 2015-11-12T10:25:06.000Z
Along with the recent change in Spring to use content-disposition "inline" (which prevents the download), it also makes sense to limit the extensions allowed by the actuator endpoints. Really there *is* no extension for these endpoints, but since all of them explicitly produce JSON we can add .json for browsers as a convenience in case the app would otherwise choose to send XML. Fixes gh-4402
diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java
@@ -84,6 +84,7 @@ public EndpointHandlerMapping(Collection<? extends MvcEndpoint> endpoints,
 		// By default the static resource handler mapping is LOWEST_PRECEDENCE - 1
 		// and the RequestMappingHandlerMapping is 0 (we ideally want to be before both)
 		setOrder(-100);
+		setUseSuffixPatternMatch(false);
 	}
 
 	@Override
@@ -121,7 +122,7 @@ private String[] getPatterns(Object handler, RequestMappingInfo mapping) {
 		String prefix = StringUtils.hasText(this.prefix) ? this.prefix + path : path;
 		Set<String> defaultPatterns = mapping.getPatternsCondition().getPatterns();
 		if (defaultPatterns.isEmpty()) {
-			return new String[] { prefix };
+			return new String[] { prefix, prefix + ".json" };
 		}
 		List<String> patterns = new ArrayList<String>(defaultPatterns);
 		for (int i = 0; i < patterns.size(); i++) {
@@ -142,7 +143,8 @@ private String getPath(Object handler) {
 
 	private RequestMappingInfo withNewPatterns(RequestMappingInfo mapping,
 			String[] patternStrings) {
-		PatternsRequestCondition patterns = new PatternsRequestCondition(patternStrings);
+		PatternsRequestCondition patterns = new PatternsRequestCondition(patternStrings,
+				null, null, useSuffixPatternMatch(), useTrailingSlashMatch(), null);
 		return new RequestMappingInfo(patterns, mapping.getMethodsCondition(),
 				mapping.getParamsCondition(), mapping.getHeadersCondition(),
 				mapping.getConsumesCondition(), mapping.getProducesCondition(),
diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointIntegrationTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointIntegrationTests.java
@@ -90,6 +90,22 @@ public void jsonResponsesCanBeIndentedWhenSpringDataRestIsAutoConfigured()
 		assertIndentedJsonResponse(SpringDataRestConfiguration.class);
 	}
 
+	@Test
+	public void fileExtensionNotFound() throws Exception {
+		this.context = new AnnotationConfigWebApplicationContext();
+		this.context.register(DefaultConfiguration.class);
+		MockMvc mockMvc = createMockMvc();
+		mockMvc.perform(get("/beans.cmd")).andExpect(status().isNotFound());
+	}
+
+	@Test
+	public void jsonExtensionProvided() throws Exception {
+		this.context = new AnnotationConfigWebApplicationContext();
+		this.context.register(DefaultConfiguration.class);
+		MockMvc mockMvc = createMockMvc();
+		mockMvc.perform(get("/beans.json")).andExpect(status().isOk());
+	}
+
 	@Test
 	public void nonSensitiveEndpointsAreNotSecureByDefault() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();
