Merge pull request #84 from cip4/sec1

added whitelist to resource handler

Author: rainer-prosi

src/main/java/org/cip4/jdfutility/server/JettyServer.java

@@ -52,7 +52,6 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.cip4.jdflib.util.FileUtil;
-import org.cip4.jdflib.util.StringUtil;
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -68,7 +67,6 @@
 import org.eclipse.jetty.server.handler.RequestLogHandler;
 import org.eclipse.jetty.server.handler.ResourceHandler;
 import org.eclipse.jetty.servlet.ServletContextHandler;
-import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 /**
@@ -95,7 +93,7 @@ public String getKeystoreType()
 			return keystoreType;
 		}
 
-		public void setKeystoreType(String keystoretype)
+		public void setKeystoreType(final String keystoretype)
 		{
 			this.keystoreType = keystoretype;
 		}
@@ -117,7 +115,7 @@ public String getPassword()
 			return password;
 		}
 
-		public void setPassword(String password)
+		public void setPassword(final String password)
 		{
 			this.password = password;
 		}
@@ -132,7 +130,7 @@ public boolean isAllowFlakySSL()
 		 * 
 		 * @param allowFlakySSL
 		 */
-		public void setAllowFlakySSL(boolean allowFlakySSL)
+		public void setAllowFlakySSL(final boolean allowFlakySSL)
 		{
 			this.allowFlakySSL = allowFlakySSL;
 		}
@@ -158,12 +156,12 @@ KeyStore getKeystore()
 				try
 				{
 					log.info("Reading " + f.getAbsolutePath());
-					BufferedInputStream bufferedInputStream = FileUtil.getBufferedInputStream(f);
+					final BufferedInputStream bufferedInputStream = FileUtil.getBufferedInputStream(f);
 					keyStore.load(bufferedInputStream, password.toCharArray());
 					bufferedInputStream.close();
 					return keyStore;
 				}
-				catch (Exception e)
+				catch (final Exception e)
 				{
 					log.warn("Cannot load keystore at: " + f.getAbsolutePath(), e);
 				}
@@ -180,7 +178,7 @@ public String getKeystorePath()
 			return keystorePath;
 		}
 
-		public void setKeystorePath(String keystorePath)
+		public void setKeystorePath(final String keystorePath)
 		{
 			this.keystorePath = keystorePath;
 		}
@@ -269,7 +267,7 @@ public void setSSLPort(final int port)
 	 * @return may be used for additional setup
 	 */
 	@Deprecated
-	public void setSSLPort(final int port, String dummy)
+	public void setSSLPort(final int port, final String dummy)
 	{
 		sslPort = port;
 	}
@@ -328,13 +326,13 @@ protected void updateHTTP()
 
 			final HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
 
-			SecureRequestCustomizer customizer = getRequestCustomizer();
+			final SecureRequestCustomizer customizer = getRequestCustomizer();
 			customizer.setSniHostCheck(!sslData.allowFlakySSL);
 			customizer.setSniRequired(!sslData.allowFlakySSL);
 			customizer.setStsIncludeSubDomains(sslData.allowFlakySSL);
 			httpsConfig.addCustomizer(customizer);
 
-			SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
+			final SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
 			sslContextFactory.setKeyStore(sslData.getKeystore());
 			sslContextFactory.setKeyStorePassword(sslData.getPassword());
 
@@ -350,7 +348,7 @@ protected void updateHTTP()
 		{
 			log.info("Updating standard port to: " + thePort);
 			final HttpConnectionFactory httpConnectionFactory = new HttpConnectionFactory(httpConfig);
-			ServerConnector connector = new ServerConnector(server, httpConnectionFactory);
+			final ServerConnector connector = new ServerConnector(server, httpConnectionFactory);
 			connector.setPort(thePort);
 			server.addConnector(connector);
 		}
@@ -443,7 +441,7 @@ protected RequestLog createRequestLog()
 	 *
 	 * @return
 	 */
-	public String getBaseURL(boolean ssl)
+	public String getBaseURL(final boolean ssl)
 	{
 		try
 		{
@@ -466,59 +464,13 @@ public String getBaseURL(boolean ssl)
 	 */
 	public String getBaseURL()
 	{
-		String http = getBaseURL(false);
-		String ssl = getBaseURL(true);
+		final String http = getBaseURL(false);
+		final String ssl = getBaseURL(true);
 		if (http == null)
 			return ssl;
 		return http;
 	}
 
-	/**
-	 * simple resource (file) handler that tweeks the url to match the context, thus allowing servlets to emulate a war file without actually requiring the war file
-	 *
-	 * @author rainer prosi
-	 * @date Dec 10, 2010
-	 */
-	public class MyResourceHandler extends ResourceHandler
-	{
-
-		public MyResourceHandler(final String strip)
-		{
-			super();
-			this.strip = StringUtil.getNonEmpty(strip);
-		}
-
-		private final String strip;
-
-		@Override
-		public Resource getResource(String url)
-		{
-
-			if (strip != null && url.startsWith(strip) && (url.length() == strip.length() || url.charAt(strip.length()) == '/'))
-			{
-				url = url.substring(strip.length());
-			}
-			try
-			{
-				if ("".equals(url) || "/".equals(url))
-				{
-					return super.getResource(getHome());
-				}
-				return super.getResource(url);
-			}
-			catch (Exception x)
-			{
-				return null;
-			}
-		}
-
-		@Override
-		public String toString()
-		{
-			return "MyResourceHandler [strip=" + strip + ", getResourceBase()=" + getResourceBase() + "]";
-		}
-	}
-
 	/**
 	 * @author rainer prosi
 	 */
@@ -542,7 +494,7 @@ public void handle(final String pathInContext, final Request arg1, final HttpSer
 	 */
 	protected ResourceHandler createResourceHandler()
 	{
-		final ResourceHandler resourceHandler = new MyResourceHandler(context);
+		final ResourceHandler resourceHandler = new MyResourceHandler(context, getHome());
 		resourceHandler.setResourceBase(".");
 		return resourceHandler;
 	}

src/main/java/org/cip4/jdfutility/server/MyResourceHandler.java

@@ -0,0 +1,116 @@
+/**
+ * The CIP4 Software License, Version 1.0
+ *
+ * Copyright (c) 2001-2024 The International Cooperation for the Integration of Processes in Prepress, Press and Postpress (CIP4). All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the The International Cooperation for
+ * the Integration of Processes in Prepress, Press and Postpress (www.cip4.org)" Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments
+ * normally appear.
+ *
+ * 4. The names "CIP4" and "The International Cooperation for the Integration of Processes in Prepress, Press and Postpress" must not be used to endorse or promote products derived from this software
+ * without prior written permission. For written permission, please contact [email protected].
+ *
+ * 5. Products derived from this software may not be called "CIP4", nor may "CIP4" appear in their name, without prior written permission of the CIP4 organization
+ *
+ * Usage of this software in commercial products is subject to restrictions. For details please consult [email protected].
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE INTERNATIONAL COOPERATION FOR THE INTEGRATION OF PROCESSES IN PREPRESS, PRESS AND POSTPRESS OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
+ * OF SUCH DAMAGE. ====================================================================
+ *
+ * This software consists of voluntary contributions made by many individuals on behalf of the The International Cooperation for the Integration of Processes in Prepress, Press and Postpress and was
+ * originally based on software copyright (c) 1999-2001, Heidelberger Druckmaschinen AG copyright (c) 1999-2001, Agfa-Gevaert N.V.
+ *
+ * For more information on The International Cooperation for the Integration of Processes in Prepress, Press and Postpress , please see <http://www.cip4.org/>.
+ *
+ *
+ */
+
+package org.cip4.jdfutility.server;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.cip4.jdflib.util.StringUtil;
+import org.eclipse.jetty.server.handler.ResourceHandler;
+import org.eclipse.jetty.util.resource.Resource;
+
+/**
+ * simple resource (file) handler that tweeks the url to match the context, thus allowing servlets to emulate a war file without actually requiring the war file
+ *
+ * @author rainer prosi
+ * @date Dec 10, 2010
+ */
+public class MyResourceHandler extends ResourceHandler
+{
+
+	private final String home;
+	private final Collection<File> whiteList;
+
+	public MyResourceHandler(final String strip, final String home)
+	{
+		super();
+		this.strip = StringUtil.getNonEmpty(strip);
+		this.home = home;
+		whiteList = new ArrayList<>();
+	}
+
+	private final String strip;
+
+	@Override
+	public Resource getResource(String url)
+	{
+
+		if (strip != null && url.startsWith(strip) && (url.length() == strip.length() || url.charAt(strip.length()) == '/'))
+		{
+			url = url.substring(strip.length());
+		}
+		try
+		{
+			if ("".equals(url) || "/".equals(url))
+			{
+				return super.getResource(home);
+			}
+			else if (!whiteList.isEmpty())
+			{
+				final String base = StringUtil.token(url, 0, "/");
+				if (!whiteList.contains(new File(base)))
+				{
+					return null;
+				}
+			}
+
+			return super.getResource(url);
+		}
+		catch (final Exception x)
+		{
+			return null;
+		}
+	}
+
+	/**
+	 * add a base file to the whitelist. after adding one, all others are blocked
+	 * 
+	 * @param base
+	 */
+	public void addBase(final String base)
+	{
+		whiteList.add(new File(base));
+	}
+
+	@Override
+	public String toString()
+	{
+		return "MyResourceHandler [strip=" + strip + ", getResourceBase()=" + getResourceBase() + "]";
+	}
+}

src/test/java/org/cip4/jdfutility/schema/JDFSchemaUtilTest.java

@@ -95,6 +95,9 @@ public void testschema()
 				final File f19 = new File(sm_dirTestDataTemp + "tmp/schema/1.9/JDF.xsd");
 				final File f19a = JDFSchemaUtil.downloadschema(f19, EnumVersion.Version_1_9, 123456);
 				assertTrue(f19a.exists());
+				final File f20 = new File(sm_dirTestDataTemp + "tmp/schema/2.0/xjdf.xsd");
+				final File f20a = JDFSchemaUtil.downloadschema(f20, EnumVersion.Version_2_0, 123456);
+				assertTrue(f20a.exists());
 				final File f21 = new File(sm_dirTestDataTemp + "tmp/schema/2.1/xjdf.xsd");
 				final File f21a = JDFSchemaUtil.downloadschema(f21, EnumVersion.Version_2_1, 123456);
 				assertTrue(f21a.exists());
@@ -109,6 +112,8 @@ public void testschema()
 			final File f12a = JDFSchemaUtil.downloadschema(f12, EnumVersion.Version_1_2, 123456);
 			final File f19 = new File(sm_dirTestDataTemp + "tmp/schema/1.9/JDF.xsd");
 			final File f19a = JDFSchemaUtil.downloadschema(f19, EnumVersion.Version_1_9, 123456);
+			final File f20 = new File(sm_dirTestDataTemp + "tmp/schema/2.0/xjdf.xsd");
+			final File f20a = JDFSchemaUtil.downloadschema(f20, EnumVersion.Version_2_0, 123456);
 			final File f21 = new File(sm_dirTestDataTemp + "tmp/schema/2.1/xjdf.xsd");
 			final File f21a = JDFSchemaUtil.downloadschema(f21, EnumVersion.Version_2_1, 123456);
 			final File f22 = new File(sm_dirTestDataTemp + "tmp/schema/2.2/xjdf.xsd");

src/test/java/org/cip4/jdfutility/server/JettyServerTest.java

@@ -46,7 +46,6 @@
 import org.cip4.jdfutility.JDFUtilityTestBase;
 import org.cip4.jdfutility.exe.HTTPDump;
 import org.cip4.jdfutility.server.JettyServer.JettySSLData;
-import org.cip4.jdfutility.server.JettyServer.MyResourceHandler;
 import org.junit.jupiter.api.Test;
 
 public class JettyServerTest extends JDFUtilityTestBase
@@ -106,7 +105,7 @@ public synchronized void testSSLData()
 	{
 		final HTTPDump ns = new HTTPDump();
 		ns.setSSLPort(443);
-		JettySSLData sslData = ns.getSSLData();
+		final JettySSLData sslData = ns.getSSLData();
 		assertNotNull(sslData.toString());
 		sslData.setAllowFlakySSL(true);
 		assertTrue(sslData.isAllowFlakySSL());
@@ -124,7 +123,7 @@ public void testSSLDataKeystore()
 	{
 		final HTTPDump ns = new HTTPDump();
 		ns.setSSLPort(443);
-		JettySSLData sslData = ns.getSSLData();
+		final JettySSLData sslData = ns.getSSLData();
 		assertNotNull(sslData.getKeystore());
 
 	}
@@ -172,16 +171,27 @@ public void testResHandler() throws InterruptedException
 	{
 		final HTTPDump ns = new HTTPDump();
 		ns.setPort(getPort());
-		MyResourceHandler rh = ns.new MyResourceHandler("foo");
+		final MyResourceHandler rh = new MyResourceHandler("foo", "dummy");
 		assertNull(rh.getResource("nix"));
 	}
 
+	@Test
+	public void testResHandlerWL() throws InterruptedException
+	{
+		final HTTPDump ns = new HTTPDump();
+		ns.setPort(getPort());
+		final MyResourceHandler rh = new MyResourceHandler("foo", "dummy");
+		rh.addBase("boo");
+		assertNull(rh.getResource("foo/nix"));
+		assertNull(rh.getResource("foo/boo"));
+	}
+
 	@Test
 	public void testResHandlerString() throws InterruptedException
 	{
 		final HTTPDump ns = new HTTPDump();
 		ns.setPort(getPort());
-		MyResourceHandler rh = ns.new MyResourceHandler("foo");
+		final MyResourceHandler rh = new MyResourceHandler("foo", "bar");
 		assertNotNull(rh.toString());
 	}