tapestry-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicolas Bouillon <nico...@bouillon.net>
Subject Re: Tapestry exposes the list of css/js files in assets
Date Thu, 16 Jan 2020 10:18:54 GMT
Hi,
Thank you for the quick reply, I've added the following rule in my AppModule.

@Contribute(ClasspathAssetProtectionRule.class)
public static void contributeClasspathAssetProtectionRule(
        OrderedConfiguration<ClasspathAssetProtectionRule> configuration)
{
    ClasspathAssetProtectionRule fileWithDot = (s) ->
!s.toLowerCase().matches(".*\\.[^/]+");
    configuration.add("DirectoryListing", fileWithDot);
}

Note that the directory listing is displayed even without any ending
forwarding slash. Then I've forced the requested file name to end with
a . followed by some chars (anything but a forward slash).

I wonder if that configuration should be put by default, or activable
using a configuration switch described in
https://tapestry.apache.org/security.html

Thank you again.
Nicolas.

Le jeu. 16 janv. 2020 à 10:43, Dmitry Gusev <dmitry.gusev@gmail.com> a écrit :
>
> Hi,
>
> I wasn't aware of it, thanks for bringing it up.
>
> From what I found in code, AssetsModule contributes three asset protection
> rules: for .xml, .class, and .properties files:
>
> public static void contributeClasspathAssetProtectionRule(
>         OrderedConfiguration<ClasspathAssetProtectionRule> configuration)
> {
>     ClasspathAssetProtectionRule classFileRule = (s) ->
> s.toLowerCase().endsWith(".class");
>     configuration.add("ClassFile", classFileRule);
>     ClasspathAssetProtectionRule propertiesFileRule = (s) ->
> s.toLowerCase().endsWith(".properties");
>     configuration.add("PropertiesFile", propertiesFileRule);
>     ClasspathAssetProtectionRule xmlFileRule = (s) ->
> s.toLowerCase().endsWith(".xml");
>     configuration.add("XMLFile", xmlFileRule);
> }
>
> So as a possible workaround you could contribute another rule that vetoes
> asset requests that have no file extension (or end with forward slash),
> which should cover directory entries.
>
> On Thu, Jan 16, 2020 at 12:22 PM Nicolas Bouillon <nicolas@bouillon.net>
> wrote:
>
> > Hi all,
> >
> > Following a pen-test of our application, it has been raised that the
> > list of assets if visible as a directory listing.
> >
> > For example, we have a javascript file available at this location
> > /assets/meta/z58f7f3d4/javascript/library.js but when we access
> > /assets/meta/z58f7f3d4/javascript/ the web server lists all files
> > available in META-INF.assets.javascript directory of the project.
> >
> > Do you know how to prevent this listing?
> >
> > Looks like to me it's happening in
> >
> > org.apache.tapestry5.internal.services.assets.ClasspathAssetRequestHandler#handleAssetRequest
> > and then in
> > org.apache.tapestry5.internal.services.ResourceStreamerImpl#streamResource(org.apache.tapestry5.ioc.Resource,
> > org.apache.tapestry5.services.assets.StreamableResource,
> > java.lang.String,
> >
> > java.util.Set<org.apache.tapestry5.internal.services.ResourceStreamer.Options>)
> >
> > Thank you,
> > Nicolas.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> > For additional commands, e-mail: users-help@tapestry.apache.org
> >
> >
>
> --
> Dmitry Gusev
>
> AnjLab Team
> http://anjlab.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


Mime
View raw message