github-advanced-security[bot] commented on code in PR #448: URL: https://github.com/apache/jspwiki/pull/448#discussion_r2566585333
########## jspwiki-main/src/main/java/org/apache/wiki/servlets/WebjarsServlet.java: ########## @@ -0,0 +1,265 @@ +/** + * MIT licensed from https://github.com/webjars/webjars-servlet-2.x + */ +package org.apache.wiki.servlets; + +import jakarta.servlet.ServletConfig; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServlet; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.lang.reflect.Method; +import java.util.logging.Level; +import java.util.logging.Logger; + +/** + * FORK of https://github.com/webjars/webjars-servlet-2.x to update to the jakarta spec + * + * + * <p>This servlet enables Servlet 2.x compliant containers to serve up Webjars resources</p> + * <p>To use it just declare it in your web.xml as follows:</p> + * <pre> + <!--Webjars Servlet--> + <servlet> + <servlet-name>WebjarsServlet</servlet-name> + <servlet-class>org.webjars.servlet.WebjarsServlet</servlet-class> + </servlet> + <servlet-mapping> + <servlet-name>WebjarsServlet</servlet-name> + <url-pattern>/webjars/*</url-pattern> + </servlet-mapping>œ + </pre> + * <p>It will automatically detect the webjars-locator-core library on the classpath and use it to automatically resolve + * the version of any WebJar assets</p> + * @author Angel Ruiz<[email protected]> + * @author Jaco de Groot<[email protected]> + */ +public class WebjarsServlet extends HttpServlet { + + private static final long serialVersionUID = 1L; + + private static final Logger logger = Logger.getLogger(WebjarsServlet.class.getName()); + + private static final long DEFAULT_EXPIRE_TIME_MS = 86400000L; // 1 day + private static final long DEFAULT_EXPIRE_TIME_S = 86400L; // 1 day + + private boolean disableCache = false; + + private Object webJarAssetLocator; + private Method getFullPathExact; + + @Override + @SuppressWarnings({ "rawtypes", "unchecked" }) + public void init() throws ServletException { + ServletConfig config = getServletConfig(); + if(config == null) { + throw new NullPointerException("Expected servlet container to provide a non-null ServletConfig."); + } + try { + String disableCache = config.getInitParameter("disableCache"); + if (disableCache != null) { + this.disableCache = Boolean.parseBoolean(disableCache); + logger.log(Level.INFO, "WebjarsServlet cache enabled: {0}", !this.disableCache); + } + } catch (Exception e) { + logger.log(Level.WARNING, "The WebjarsServlet configuration parameter \"disableCache\" is invalid"); + } + try { + Class webJarAssetLocatorClass = Class.forName("org.webjars.WebJarAssetLocator"); + webJarAssetLocator = webJarAssetLocatorClass.newInstance(); + getFullPathExact = webJarAssetLocatorClass.getMethod("getFullPathExact", String.class, String.class); + logger.log(Level.INFO, "The webjars-locator-core library is present, WebjarsServlet will try to resolve the version of requested WebJar assets (for the version agnostic way of working)"); + } catch (Exception e) { + logger.log(Level.INFO, "The webjars-locator-core library is not present, WebjarsServlet will not try to resolve the version of requested WebJar assets (for the version agnostic way of working)"); + } + logger.log(Level.INFO, "WebjarsServlet initialization completed"); + } + + @Override + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + String webjarsURI = request.getRequestURI().replaceFirst(request.getContextPath(), ""); + String webjarsResourceURI = "/META-INF/resources" + webjarsURI; + logger.log(Level.FINE, "Webjars resource requested: {0}", webjarsResourceURI); + + if (isDirectoryRequest(webjarsResourceURI)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN); + return; + } + + if (webJarAssetLocator != null) { + String path = webjarsURI.substring(request.getServletPath().length()); + logger.log(Level.FINE, "Try to resolve version for path: {0}", path); + // See also Spring's WebJarsResourceResolver findWebJarResourcePath() method + int startOffset = (path.startsWith("/") ? 1 : 0); + int endOffset = path.indexOf('/', 1); + if (endOffset != -1) { + String webjar = path.substring(startOffset, endOffset); + String partialPath = path.substring(endOffset + 1); + String webJarPath = null; + try { + webJarPath = (String)getFullPathExact.invoke(webJarAssetLocator, webjar, partialPath); + } catch (Exception e) { + logger.log(Level.FINE, "This should not happen", e); + } + if (webJarPath != null) { + webjarsResourceURI = "/" + webJarPath; + } + } + } + + String eTagName; + try { + eTagName = this.getETagName(webjarsResourceURI); + } catch (IllegalArgumentException e) { + response.sendError(HttpServletResponse.SC_NOT_FOUND); + return; + } + + if (!disableCache) { + if (checkETagMatch(request, eTagName) + || checkLastModify(request)) { + // response.sendError(HttpServletResponse.SC_NOT_MODIFIED); + response.setStatus(HttpServletResponse.SC_NOT_MODIFIED); + return; + } + } + + InputStream inputStream = this.getClass().getResourceAsStream(webjarsResourceURI); Review Comment: ## Uncontrolled data used in path expression This path depends on a [user-provided value](1). [Show more details](https://github.com/apache/jspwiki/security/code-scanning/14) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
