Merge pull request #49 from jayasheelankumar/url_normalize

Updated the fix for normalize the URL
javaee · Apr 18, 2018 · f145b8c · f145b8c
2 parents 9f32e27 + 6069d03
commit f145b8c
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 37 deletions.
diff --git a/...mplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java b/...mplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java
@@ -117,48 +117,49 @@ public String getResourcePath(Context ctx) {
      *	    security reasons.</p>
      */
     public static String normalize(String origPath) {
-	String path = origPath;
+        String path = origPath;
 
-	// Normalize it...
-	if ((path != null) && (path.length() > 0)) {
-	    path = path.replace('\\', '/');
-            // Remove leading '/' chars
-	    while ((path.length() > 0) && (path.charAt(0) == '/')) {
-		path = path.substring(1);
-	    }
+        // Normalize it...
+        if ((path != null) && (path.length() > 0)) {
+            path = path.replace('\\', '/');
+
+            if (path.charAt(0) != '/') {
+                path = ("/").concat(path);
+            }
             // Replace all double "//" with "/"
-	    while (path.indexOf("//") != -1) {
-		path = path.replace("//", "/");
+            if (path.contains("//")) {
+                path = path.replaceAll("//", "/");
             }
-	    for (int idx = path.indexOf("/../"); idx != -1; idx = path.indexOf("/../")) {
-		if (idx == 0) {
-		    // Make sure we're not trying to go before the context root
-		    LogUtil.info("JSFT0010", origPath);
-		    throw new IllegalArgumentException(
-			"Invalid Resource Path: '" + origPath + "'");
-		}
-		// Create new path after evaluating ".."
-		int prevPathIdx = path.lastIndexOf('/', idx-2) + 1;
-		path = path.substring(0, prevPathIdx)	// before x/../
-		    + path.substring(idx + 4);		// after  x/../
-		while ((path.length() > 0) && (path.charAt(0) == '/')) {
-		    // Remove leading '/' chars
-		    path = path.substring(1);
-		}
+            for (int idx = path.indexOf("/../"); idx != -1; idx = path.indexOf("/../")) {
+                if (idx == 0) {
+                    // Make sure we're not trying to go before the context root
+                    LogUtil.info("JSFT0010", origPath);
+                    throw new IllegalArgumentException(
+                            "Invalid Resource Path: '" + origPath + "'");
+                }
+                // Create new path after evaluating ".."
+                int prevPathIdx = path.lastIndexOf('/', idx - 2) + 1;
+                path = path.substring(0, prevPathIdx) // before x/../
+                        + path.substring(idx + 4);		// after  x/../
             }
-	    // We check for "../" so ".." at the end of a path could occur,
-	    // which is fine, unless it is also at the beginning...
-	    if (path.equals("..")) {
-		path = null;
-	    }
 
-	    // Last ensure path does not end in a '/'
-	    if (path.endsWith("/")) {
-		path = path.substring(0, path.length()-1);
-		}
-	}
-	return path;
-	}
+            // Remove leading '/' chars
+            while ((path.length() > 0) && (path.charAt(0) == '/')) {
+                path = path.substring(1);
+            }
+            // We check for "../" so ".." at the end of a path could occur,
+            // which is fine, unless it is also at the beginning...
+            if (path.equals("..")) {
+                path = null;
+            }
+
+            // Last ensure path does not end in a '/'
+            if (path != null && path.endsWith("/")) {
+                path = path.substring(0, path.length() - 1);
+            }
+        }
+        return path;
+    }
 
     /**
      *	<p> This method may be used to clean up any temporary resources.  It

diff --git a/...ting/src/test/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSourceTest.java b/...ting/src/test/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSourceTest.java
@@ -0,0 +1,38 @@
+/**
+ * 
+ */
+package com.sun.jsftemplating.util.fileStreamer;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * TestCase for <code>ResourceContentSource</code>.
+ */
+public class ResourceContentSourceTest {
+
+    @Test(expected = IllegalArgumentException.class)
+    public void normalizeDoesNotAccessContextRootParent() {
+        final String testPath = "../bad/path";
+        ResourceContentSource.normalize(testPath);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void normalizeDoesNotAccessContextRootParentWithLeadingSlash() {
+        final String testPath = "/../bad/path";
+        ResourceContentSource.normalize(testPath);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void doesNotGoBackTooFar() {
+        final String testPath = "/path/../../../../too/many/backward";
+        ResourceContentSource.normalize(testPath);
+    }
+
+    @Test
+    public void removesExtraSlashesAndBackwardPaths() {
+        final String testPath = "//OK/path//with/extra/slashes/and/..//in/the/middle/";
+        final String result = ResourceContentSource.normalize(testPath);
+        Assert.assertEquals("Wrong result", "OK/path/with/extra/slashes/in/the/middle", result);
+    }
+}