• Home
• org.wicketstuff
• wicketstuff-bundle
• 7.8.1
• source code
• PackageResourceGuard.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.apache.wicket.markup.html.PackageResourceGuard Maven / Gradle / Ivy

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.wicket.markup.html;

import java.io.File;
import java.util.HashSet;
import java.util.Set;

import org.apache.wicket.Application;
import org.apache.wicket.util.string.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;


/**
 * Default implementation of {@link IPackageResourceGuard}. By default, the extensions 'properties',
 * 'class' and 'java' are blocked and files like 'log4j.xml' and 'applicationContext.xml'
 * 
 * A more secure implementation which by default denies access to any resource is
 * {@link SecurePackageResourceGuard}
 * 
 * @author eelcohillenius
 */
public class PackageResourceGuard implements IPackageResourceGuard
{
	/** Log. */
	private static final Logger log = LoggerFactory.getLogger(PackageResourceGuard.class);

	/** Set of extensions that are denied access. */
	private Set blockedExtensions = new HashSet<>(4);

	/** Set of filenames that are denied access. */
	private Set blockedFiles = new HashSet<>(4);

	private boolean allowAccessToRootResources = false;

	/**
	 * Construct.
	 */
	public PackageResourceGuard()
	{
		blockedExtensions.add("properties");
		blockedExtensions.add("class");
		blockedExtensions.add("java");

		blockedFiles.add("applicationContext.xml");
		blockedFiles.add("log4j.xml");
	}

	/**
	 * @see org.apache.wicket.markup.html.IPackageResourceGuard#accept(java.lang.String)
	 */
	public boolean accept(String path)
	{
		int ixExtension = path.lastIndexOf('.');
		int len = path.length();
		final String ext;
		if (ixExtension <= 0 || ixExtension == len ||
			(path.lastIndexOf('/') + 1) == ixExtension ||
			(path.lastIndexOf('\\') + 1) == ixExtension)
		{
			ext = null;
		}
		else
		{
			ext = path.substring(ixExtension + 1).toLowerCase().trim();
		}

		if ("html".equals(ext))
		{
			String prefix = path.substring(0, ixExtension);

			ClassLoader classLoader = getClass().getClassLoader();
			while (true)
			{
				if (classLoader.getResource(prefix + ".class") != null)
				{
					log.warn("Access denied to shared (static) resource because it is a Wicket markup file: " +
						path);
					return false;
				}

				int ixUnderscore = prefix.lastIndexOf('_');
				if (ixUnderscore == -1)
				{
					break;
				}

				prefix = prefix.substring(0, ixUnderscore);
			}
		}

		if (acceptExtension(ext) == false)
		{
			log.warn("Access denied to shared (static) resource because of the file extension: " +
				path);
			return false;
		}

		String filename = Strings.lastPathComponent(path, File.separatorChar);
		if (acceptFile(filename) == false)
		{
			log.warn("Access denied to shared (static) resource because of the file name: " + path);
			return false;
		}

		// Only if a placeholder, e.g. $up$ is defined, access to parent directories is allowed
		if (Strings.isEmpty(Application.get().getResourceSettings().getParentFolderPlaceholder()))
		{
			if (path.contains(".."))
			{
				log.warn("Access to parent directories via '..' is by default disabled for shared resources: " +
					path);
				return false;
			}
		}

		//
		// for windows we have to check both File.separator ('\') and the usual '/' since both can
		// be used and are used interchangeably
		//

		if (!allowAccessToRootResources)
		{
			String absolute = path;
			if ("\\".equals(File.separator))
			{
				// handle a windows path which may have a drive letter in it

				int drive = absolute.indexOf(":\\");
				if (drive < 0)
				{
					drive = absolute.indexOf(":/");
				}
				if (drive > 0)
				{
					// strip the drive letter off the path
					absolute = absolute.substring(drive + 2);
				}
			}

			if (absolute.startsWith(File.separator) || absolute.startsWith("/"))
			{
				absolute = absolute.substring(1);
			}
			if (!absolute.contains(File.separator) && !absolute.contains("/"))
			{
				log.warn("Access to root directory is by default disabled for shared resources: " +
					path);
				return false;
			}
		}

		return true;
	}

	/**
	 * Whether the provided extension is accepted.
	 * 
	 * @param extension
	 *            The extension, starting from the class root (packages are separated with forward
	 *            slashes instead of dots).
	 * @return True if accepted, false otherwise.
	 */
	protected boolean acceptExtension(String extension)
	{
		return (!blockedExtensions.contains(extension));
	}

	/**
	 * Whether the provided filename is accepted.
	 * 
	 * @param file
	 *            filename
	 * @return True if accepted, false otherwise.
	 */
	protected boolean acceptFile(String file)
	{
		if (file != null)
		{
			file = file.trim();
		}
		return (!blockedFiles.contains(file));
	}

	/**
	 * Gets the set of extensions that are denied access.
	 * 
	 * @return The set of extensions that are denied access
	 */
	protected final Set getBlockedExtensions()
	{
		return blockedExtensions;
	}

	/**
	 * Gets the set of extensions that are denied access.
	 * 
	 * @return The set of extensions that are denied access
	 */
	protected final Set getBlockedFiles()
	{
		return blockedFiles;
	}

	/**
	 * Sets the set of extensions that are denied access.
	 * 
	 * @param blockedExtensions
	 *            Set of extensions that are denied access
	 */
	protected final void setBlockedExtensions(Set blockedExtensions)
	{
		this.blockedExtensions = blockedExtensions;
	}

	/**
	 * Sets the set of filenames that are denied access.
	 * 
	 * @param blockedFiles
	 *            Set of extensions that are denied access
	 */
	protected final void setBlockedFiles(Set blockedFiles)
	{
		this.blockedFiles = blockedFiles;
	}

	/**
	 * Checks whether or not resources in the web root folder can be access.
	 * 
	 * @return {@code true} iff root resources can be accessed
	 */
	public final boolean isAllowAccessToRootResources()
	{
		return allowAccessToRootResources;
	}

	/**
	 * Sets whether or not resources in the web root folder can be accessed.
	 * 
	 * @param allowAccessToRootResources
	 */
	public final void setAllowAccessToRootResources(boolean allowAccessToRootResources)
	{
		this.allowAccessToRootResources = allowAccessToRootResources;
	}
}