Do not support relative static resource paths

rstoyanchev · rstoyanchev · commit 1a0b577bfcb9 · 2024-10-14T15:54:59.000+01:00
Closes gh-33687
diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java b/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
@@ -140,7 +140,7 @@ public static boolean isInvalidPath(String path) {
 				return true;
 			}
 		}
-		if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
+		if (path.contains("../")) {
 			if (logger.isWarnEnabled()) {
 				logger.warn(LogFormatUtils.formatValue(
 						"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));
diff --git a/spring-webflux/src/test/java/org/springframework/web/reactive/resource/ResourceWebHandlerTests.java b/spring-webflux/src/test/java/org/springframework/web/reactive/resource/ResourceWebHandlerTests.java
@@ -687,6 +687,7 @@ void resolvePathWithTraversal(HttpMethod method) throws Exception {
 
 			testResolvePathWithTraversal(method, "../testsecret/secret.txt");
 			testResolvePathWithTraversal(method, "test/../../testsecret/secret.txt");
+			testResolvePathWithTraversal(method, "/testsecret/test/../secret.txt");
 			testResolvePathWithTraversal(method, ":/../../testsecret/secret.txt");
 
 			location = new UrlResource(getClass().getResource("./test/"));
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
@@ -140,7 +140,7 @@ public static boolean isInvalidPath(String path) {
 				return true;
 			}
 		}
-		if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
+		if (path.contains("../")) {
 			if (logger.isWarnEnabled()) {
 				logger.warn(LogFormatUtils.formatValue(
 						"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java
@@ -643,6 +643,7 @@ void shouldRejectInvalidPath() throws Exception {
 			testInvalidPath("../testsecret/secret.txt");
 			testInvalidPath("test/../../testsecret/secret.txt");
 			testInvalidPath(":/../../testsecret/secret.txt");
+			testInvalidPath("/testsecret/test/../secret.txt");
 
 			Resource location = new UrlResource(ResourceHttpRequestHandlerTests.class.getResource("./test/"));
 			this.handler.setLocations(List.of(location));

Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,7 @@ public static boolean isInvalidPath(String path) {`
`140`	`140`	`return true;`
`141`	`141`	`}`
`142`	`142`	`}`
`143`		`- if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {`
	`143`	`+ if (path.contains("../")) {`
`144`	`144`	`if (logger.isWarnEnabled()) {`
`145`	`145`	`logger.warn(LogFormatUtils.formatValue(`
`146`	`146`	`"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));`