Prevent Undertow from exposing classpath files

philwebb · philwebb · commit c804299c8d58 · 2015-10-15T16:02:41.000-07:00
Update `UndertowEmbeddedServletContainerFactory` so that the `ClassPathResourceManager` is no longer registered by default. Prior to this commit the resource manager would be registered whenever a valid document root could not be found. This had the effect of exposing all classpath files. Fixes gh-4015
diff --git a/spring-boot/src/main/java/org/springframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java b/spring-boot/src/main/java/org/springframework/boot/context/embedded/undertow/UndertowEmbeddedServletContainerFactory.java
@@ -56,7 +56,6 @@
 import io.undertow.Undertow;
 import io.undertow.Undertow.Builder;
 import io.undertow.UndertowMessages;
-import io.undertow.server.handlers.resource.ClassPathResourceManager;
 import io.undertow.server.handlers.resource.FileResourceManager;
 import io.undertow.server.handlers.resource.Resource;
 import io.undertow.server.handlers.resource.ResourceChangeListener;
@@ -370,10 +369,7 @@ private ResourceManager getDocumentRootResourceManager() {
 		if (root != null && root.isFile()) {
 			return new JarResourcemanager(root);
 		}
-		if (this.resourceLoader != null) {
-			return new ClassPathResourceManager(this.resourceLoader.getClassLoader(), "");
-		}
-		return new ClassPathResourceManager(getClass().getClassLoader(), "");
+		return ResourceManager.EMPTY_RESOURCE_MANAGER;
 	}
 
 	private void configureErrorPages(DeploymentInfo servletBuilder) {
diff --git a/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java b/spring-boot/src/test/java/org/springframework/boot/context/embedded/AbstractEmbeddedServletContainerFactoryTests.java
@@ -482,6 +482,17 @@ public void sslWantsClientAuthenticationSucceedsWithoutClientCertificate()
 				equalTo("test"));
 	}
 
+	@Test
+	public void cannotReadClassPathFiles() throws Exception {
+		AbstractEmbeddedServletContainerFactory factory = getFactory();
+		this.container = factory
+				.getEmbeddedServletContainer(exampleServletRegistration());
+		this.container.start();
+		ClientHttpResponse response = getClientResponse(
+				getLocalUrl("/org/springframework/boot/SpringApplication.class"));
+		assertThat(response.getStatusCode(), equalTo(HttpStatus.NOT_FOUND));
+	}
+
 	private Ssl getSsl(ClientAuth clientAuth, String keyPassword, String keyStore) {
 		return getSsl(clientAuth, keyPassword, keyStore, null);
 	}
