Fixes for ResourceFileServlet

gae-java-bot · gae-java-bot · commit ea0c5d300e3f · 2025-04-10T19:57:07.000-07:00
PiperOrigin-RevId: 746271054
Change-Id: Id5c416fa507630899049ad18bd0e18addc5fbfea
diff --git a/runtime/runtime_impl_jetty12/src/main/java/com/google/apphosting/runtime/jetty/ee10/ResourceFileServlet.java b/runtime/runtime_impl_jetty12/src/main/java/com/google/apphosting/runtime/jetty/ee10/ResourceFileServlet.java
@@ -33,6 +33,8 @@
 import org.eclipse.jetty.ee10.servlet.ServletContextHandler;
 import org.eclipse.jetty.ee10.servlet.ServletHandler;
 import org.eclipse.jetty.ee10.servlet.ServletMapping;
+import org.eclipse.jetty.server.AliasCheck;
+import org.eclipse.jetty.server.AllowedResourceAliasChecker;
 import org.eclipse.jetty.server.handler.ContextHandler;
 import org.eclipse.jetty.util.StringUtil;
 import org.eclipse.jetty.util.URIUtil;
@@ -59,6 +61,7 @@ public class ResourceFileServlet extends HttpServlet {
   private Resource resourceBase;
   private String[] welcomeFiles;
   private FileSender fSender;
+  private AliasCheck aliasCheck;
   ServletContextHandler chandler;
   ServletContext context;
   String defaultServletName;
@@ -90,6 +93,11 @@ public void init() throws ServletException {
     try {
       URL resourceBaseUrl = context.getResource("/" + appVersion.getPublicRoot());
       resourceBase = (resourceBaseUrl == null) ? null : ResourceFactory.of(chandler).newResource(resourceBaseUrl);
+      if (resourceBase != null) {
+        ContextHandler contextHandler = ServletContextHandler.getServletContextHandler(context);
+        contextHandler.addAliasCheck(new AllowedResourceAliasChecker(contextHandler, resourceBase));
+        aliasCheck = contextHandler;
+      }
     } catch (Exception ex) {
       throw new ServletException(ex);
     }
@@ -162,41 +170,32 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
     }
 
     // Find the resource
-    Resource resource = null;
-    try {
-      resource = getResource(pathInContext);
+    Resource resource = getResource(pathInContext);
+    if (resource == null) {
+      response.sendError(HttpServletResponse.SC_NOT_FOUND);
+      return;
+    }
 
-      if (resource == null) {
-        response.sendError(HttpServletResponse.SC_NOT_FOUND);
-        return;
-      }
+    if (StringUtil.endsWithIgnoreCase(resource.getName(), ".jsp")) {
+      // General paranoia: don't ever serve raw .jsp files.
+      response.sendError(HttpServletResponse.SC_NOT_FOUND);
+      return;
+    }
 
-      if (StringUtil.endsWithIgnoreCase(resource.getName(), ".jsp")) {
-        // General paranoia: don't ever serve raw .jsp files.
-        response.sendError(HttpServletResponse.SC_NOT_FOUND);
-        return;
+    // Handle resource
+    if (resource.isDirectory()) {
+      if (included || !fSender.checkIfUnmodified(request, response, resource)) {
+        response.sendError(HttpServletResponse.SC_FORBIDDEN);
       }
-
-      // Handle resource
-      if (resource.isDirectory()) {
-        if (included || !fSender.checkIfUnmodified(request, response, resource)) {
-          response.sendError(HttpServletResponse.SC_FORBIDDEN);
-        }
+    } else {
+      if (!resource.exists() || !aliasCheck.checkAlias(pathInContext, resource)) {
+        logger.atWarning().log("Non existent resource: %s = %s", pathInContext, resource);
+        response.sendError(HttpServletResponse.SC_NOT_FOUND);
       } else {
-        if (resource == null || !resource.exists()) {
-          logger.atWarning().log("Non existent resource: %s = %s", pathInContext, resource);
-          response.sendError(HttpServletResponse.SC_NOT_FOUND);
-        } else {
-          if (included || !fSender.checkIfUnmodified(request, response, resource)) {
-            fSender.sendData(context, response, included, resource, request.getRequestURI());
-          }
+        if (included || !fSender.checkIfUnmodified(request, response, resource)) {
+          fSender.sendData(context, response, included, resource, request.getRequestURI());
         }
       }
-    } finally {
-      if (resource != null) {
-        // TODO: do we need to release.
-        // resource.release();
-      }
     }
   }
 
@@ -226,6 +225,7 @@ protected boolean isProtectedPath(String target) {
   private Resource getResource(String pathInContext) {
     try {
       if (resourceBase != null) {
+        pathInContext = URIUtil.encodePath(pathInContext);
         return resourceBase.resolve(pathInContext);
       }
     } catch (Exception ex) {
diff --git a/runtime/runtime_impl_jetty12/src/main/java/com/google/apphosting/runtime/jetty/ee8/ResourceFileServlet.java b/runtime/runtime_impl_jetty12/src/main/java/com/google/apphosting/runtime/jetty/ee8/ResourceFileServlet.java
@@ -34,6 +34,8 @@
 import org.eclipse.jetty.ee8.servlet.ServletContextHandler;
 import org.eclipse.jetty.ee8.servlet.ServletHandler;
 import org.eclipse.jetty.ee8.servlet.ServletMapping;
+import org.eclipse.jetty.server.AliasCheck;
+import org.eclipse.jetty.server.AllowedResourceAliasChecker;
 import org.eclipse.jetty.util.StringUtil;
 import org.eclipse.jetty.util.URIUtil;
 import org.eclipse.jetty.util.resource.Resource;
@@ -59,6 +61,7 @@ public class ResourceFileServlet extends HttpServlet {
   private Resource resourceBase;
   private String[] welcomeFiles;
   private FileSender fSender;
+  private AliasCheck aliasCheck;
   ServletContextHandler chandler;
   ServletContext context;
   String defaultServletName;
@@ -90,6 +93,12 @@ public void init() throws ServletException {
     try {
       URL resourceBaseUrl = context.getResource("/" + appVersion.getPublicRoot());
       resourceBase = (resourceBaseUrl == null) ? null : ResourceFactory.of(chandler).newResource(resourceBaseUrl);
+      if (resourceBase != null) {
+        ContextHandler contextHandler = ContextHandler.getContextHandler(context);
+        contextHandler.addAliasCheck(
+            new AllowedResourceAliasChecker(contextHandler.getCoreContextHandler(), resourceBase));
+        aliasCheck = contextHandler.getCoreContextHandler();
+      }
     } catch (Exception ex) {
       throw new ServletException(ex);
     }
@@ -162,41 +171,32 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
     }
 
     // Find the resource
-    Resource resource = null;
-    try {
-      resource = getResource(pathInContext);
+    Resource resource = getResource(pathInContext);
+    if (resource == null) {
+      response.sendError(HttpServletResponse.SC_NOT_FOUND);
+      return;
+    }
 
-      if (resource == null) {
-        response.sendError(HttpServletResponse.SC_NOT_FOUND);
-        return;
-      }
+    if (StringUtil.endsWithIgnoreCase(resource.getName(), ".jsp")) {
+      // General paranoia: don't ever serve raw .jsp files.
+      response.sendError(HttpServletResponse.SC_NOT_FOUND);
+      return;
+    }
 
-      if (StringUtil.endsWithIgnoreCase(resource.getName(), ".jsp")) {
-        // General paranoia: don't ever serve raw .jsp files.
-        response.sendError(HttpServletResponse.SC_NOT_FOUND);
-        return;
+    // Handle resource
+    if (resource.isDirectory()) {
+      if (included || !fSender.checkIfUnmodified(request, response, resource)) {
+        response.sendError(HttpServletResponse.SC_FORBIDDEN);
       }
-
-      // Handle resource
-      if (resource.isDirectory()) {
-        if (included || !fSender.checkIfUnmodified(request, response, resource)) {
-          response.sendError(HttpServletResponse.SC_FORBIDDEN);
-        }
+    } else {
+      if (!resource.exists() || !aliasCheck.checkAlias(pathInContext, resource)) {
+        logger.atWarning().log("Non existent resource: %s = %s", pathInContext, resource);
+        response.sendError(HttpServletResponse.SC_NOT_FOUND);
       } else {
-        if (resource == null || !resource.exists()) {
-          logger.atWarning().log("Non existent resource: %s = %s", pathInContext, resource);
-          response.sendError(HttpServletResponse.SC_NOT_FOUND);
-        } else {
-          if (included || !fSender.checkIfUnmodified(request, response, resource)) {
-            fSender.sendData(context, response, included, resource, request.getRequestURI());
-          }
+        if (included || !fSender.checkIfUnmodified(request, response, resource)) {
+          fSender.sendData(context, response, included, resource, request.getRequestURI());
         }
       }
-    } finally {
-      if (resource != null) {
-        // TODO: do we need to release.
-        // resource.release();
-      }
     }
   }
 
@@ -226,6 +226,7 @@ protected boolean isProtectedPath(String target) {
   private Resource getResource(String pathInContext) {
     try {
       if (resourceBase != null) {
+        pathInContext = URIUtil.encodePath(pathInContext);
         return resourceBase.resolve(pathInContext);
       }
     } catch (Exception ex) {
