(wicket) 03/04: WICKET-7024 URL parameters sanitization

Fri, 01 Nov 2024 07:53:16 -0700 

This is an automated email from the ASF dual-hosted git repository.

adelbene pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git

commit 38cb92c1091d6006ff7d0ab6e71d91a9a3518394
Author: Pedro Santos <[email protected]>
AuthorDate: Tue Oct 29 11:21:28 2024 -0300

    WICKET-7024 URL parameters sanitization
---
 .../locator/CachingResourceStreamLocatorTest.java  | 14 ++++----
 .../resource/locator/IResourceStreamLocator.java   | 24 +++++++++++++
 .../resource/locator/ResourceStreamLocator.java    | 15 ++++++++
 .../caching/CachingResourceStreamLocator.java      | 17 +++++++--
 .../wicket/request/resource/PackageResource.java   |  9 ++---
 .../request/resource/PackageResourceReference.java | 41 +++++++++++++++++++---
 6 files changed, 102 insertions(+), 18 deletions(-)

diff --git 
a/wicket-core-tests/src/test/java/org/apache/wicket/core/util/resource/locator/CachingResourceStreamLocatorTest.java
 
b/wicket-core-tests/src/test/java/org/apache/wicket/core/util/resource/locator/CachingResourceStreamLocatorTest.java
index fd15e29cb3..6b1f55c71f 100644
--- 
a/wicket-core-tests/src/test/java/org/apache/wicket/core/util/resource/locator/CachingResourceStreamLocatorTest.java
+++ 
b/wicket-core-tests/src/test/java/org/apache/wicket/core/util/resource/locator/CachingResourceStreamLocatorTest.java
@@ -168,7 +168,7 @@ class CachingResourceStreamLocatorTest
                FileResourceStream frs = new FileResourceStream(new File("."));
 
                when(resourceStreamLocator.locate(String.class, "path", 
"style", "variation", null,
-                       "extension", true)).thenReturn(frs);
+                       "extension", true, true)).thenReturn(frs);
 
                CachingResourceStreamLocator cachingLocator = new 
CachingResourceStreamLocator(
                        resourceStreamLocator);
@@ -178,7 +178,7 @@ class CachingResourceStreamLocatorTest
 
                // there is a file resource with that Key so expect just one 
call to the delegate
                verify(resourceStreamLocator, times(1)).locate(String.class, 
"path", "style", "variation",
-                       null, "extension", true);
+                       null, "extension", true, true);
        }
 
        /**
@@ -192,7 +192,7 @@ class CachingResourceStreamLocatorTest
                FileResourceStream frs = new FileResourceStream(new File("."));
 
                when(resourceStreamLocator.locate(String.class, "path", 
"style", "variation", null,
-                       "extension", true)).thenReturn(frs);
+                       "extension", true, true)).thenReturn(frs);
 
                CachingResourceStreamLocator cachingLocator = new 
CachingResourceStreamLocator(
                        resourceStreamLocator);
@@ -203,9 +203,9 @@ class CachingResourceStreamLocatorTest
 
                // there is a file resource with that Key so expect just one 
call to the delegate
                verify(resourceStreamLocator, times(1)).locate(String.class, 
"path", "style", "variation",
-                       null, "extension", true);
+                       null, "extension", true, true);
                verify(resourceStreamLocator, times(1)).locate(String.class, 
"path", "style", "variation",
-                       null, "extension2", true);
+                       null, "extension2", true, true);
        }
 
        /**
@@ -244,7 +244,7 @@ class CachingResourceStreamLocatorTest
                StringResourceStream srs = new StringResourceStream("anything");
 
                when(resourceStreamLocator.locate(String.class, "path", 
"style", "variation", null,
-                       "extension", true)).thenReturn(srs);
+                       "extension", true, true)).thenReturn(srs);
 
                CachingResourceStreamLocator cachingLocator = new 
CachingResourceStreamLocator(
                        resourceStreamLocator);
@@ -255,6 +255,6 @@ class CachingResourceStreamLocatorTest
                // lightweight resource streams should not be cached so expect 
just a call to the delegate
                // for each call to the caching locator
                verify(resourceStreamLocator, times(2)).locate(String.class, 
"path", "style", "variation",
-                       null, "extension", true);
+                       null, "extension", true, true);
        }
 }
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/IResourceStreamLocator.java
 
b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/IResourceStreamLocator.java
index c0a34e38b9..0521845d24 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/IResourceStreamLocator.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/IResourceStreamLocator.java
@@ -64,10 +64,34 @@ public interface IResourceStreamLocator
         * @param strict
         *            whether the specified attributes must match exactly
         * @return The resource or null
+        * @deprecated
         */
        IResourceStream locate(Class<?> clazz, String path, String style, 
String variation,
                Locale locale, String extension, boolean strict);
 
+       /**
+        * Locate a resource by combining the given path, style, variation, 
locale and extension
+        * parameters. The exact search order depends on the implementation.
+        * 
+        * @param clazz
+        *            The class loader for delegating the loading of the 
resource
+        * @param path
+        *            The path of the resource
+        * @param style
+        *            Any resource style, such as a skin style (see {@link 
org.apache.wicket.Session})
+        * @param variation
+        *            The component's variation (of the style)
+        * @param locale
+        *            The locale of the resource to load
+        * @param extension
+        *            A comma separate list of extensions
+        * @param strict
+        *            whether the specified attributes must match exactly
+        * @return The resource or null
+        */
+       IResourceStream locate(Class<?> clazz, String path, String style, 
String variation,
+               Locale locale, String extension, boolean strict, boolean 
updateCache);
+
        /**
         * Markup resources and Properties files both need to iterate over 
different combinations of
         * locale, style, etc.. And though no single locate(..) method exists 
which is used by both,
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java
 
b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java
index 55a15c449c..f59e6ec138 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java
@@ -140,10 +140,25 @@ public class ResourceStreamLocator implements 
IResourceStreamLocator
         * @see 
org.apache.wicket.core.util.resource.locator.IResourceStreamLocator#locate(java.lang.Class,
         *      java.lang.String, java.lang.String, java.lang.String, 
java.util.Locale,
         *      java.lang.String, boolean)
+        * @deprecated
         */
        @Override
        public IResourceStream locate(final Class<?> clazz, String path, final 
String style,
                final String variation, Locale locale, final String extension, 
final boolean strict)
+       {
+               return locate(clazz, path, style, variation, locale, extension, 
strict, true);
+       }
+
+       /**
+        * 
+        * @see 
org.apache.wicket.core.util.resource.locator.IResourceStreamLocator#locate(java.lang.Class,
+        *      java.lang.String, java.lang.String, java.lang.String, 
java.util.Locale,
+        *      java.lang.String, boolean)
+        */
+       @Override
+       public IResourceStream locate(final Class<?> clazz, String path, final 
String style,
+               final String variation, Locale locale, final String extension, 
final boolean strict,
+               boolean updateCache)
        {
                // If path contains a locale, then it'll replace the locale 
provided to this method
                PathLocale data = ResourceUtils.getLocaleFromFilename(path);
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/caching/CachingResourceStreamLocator.java
 
b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/caching/CachingResourceStreamLocator.java
index f9b3624320..6eed118ab9 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/caching/CachingResourceStreamLocator.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/caching/CachingResourceStreamLocator.java
@@ -109,9 +109,19 @@ public class CachingResourceStreamLocator implements 
IResourceStreamLocator
                }
        }
 
+       /**
+        * @deprecated
+        */
        @Override
        public IResourceStream locate(Class<?> scope, String path, String 
style, String variation,
                Locale locale, String extension, boolean strict)
+       {
+               return locate(scope, path, style, variation, locale, extension, 
strict, true);
+       }
+
+       @Override
+       public IResourceStream locate(Class<?> scope, String path, String 
style, String variation,
+               Locale locale, String extension, boolean strict, boolean 
updateCache)
        {
                CacheKey key = new CacheKey(scope.getName(), path, extension, 
locale, style, variation, strict);
                IResourceStreamReference resourceStreamReference = 
cache.get(key);
@@ -119,9 +129,12 @@ public class CachingResourceStreamLocator implements 
IResourceStreamLocator
                final IResourceStream result;
                if (resourceStreamReference == null)
                {
-                       result = delegate.locate(scope, path, style, variation, 
locale, extension, strict);
+                       result = delegate.locate(scope, path, style, variation, 
locale, extension, strict, updateCache);
 
-                       updateCache(key, result);
+                       if (updateCache)
+                       {
+                               updateCache(key, result);
+                       }
                }
                else
                {
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResource.java
 
b/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResource.java
index 7a8a8079e7..63d9eda185 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResource.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResource.java
@@ -531,8 +531,8 @@ public class PackageResource extends AbstractResource 
implements IStaticCacheabl
        @Override
        public IResourceStream getResourceStream()
        {
-               return internalGetResourceStream(getCurrentStyle(), 
getCurrentLocale());
-       }
+               return internalGetResourceStream(getCurrentStyle(), 
getCurrentLocale(), isCachingEnabled());
+       }
 
        /**
         * @return whether {@link 
org.apache.wicket.resource.ITextResourceCompressor} can be used to
@@ -552,13 +552,13 @@ public class PackageResource extends AbstractResource 
implements IStaticCacheabl
                this.compress = compress;
        }
 
-       private IResourceStream internalGetResourceStream(final String style, 
final Locale locale)
+       private IResourceStream internalGetResourceStream(final String style, 
final Locale locale, boolean updateCache)
        {
                IResourceStreamLocator resourceStreamLocator = Application.get()
                        .getResourceSettings()
                        .getResourceStreamLocator();
                IResourceStream resourceStream = 
resourceStreamLocator.locate(getScope(), absolutePath,
-                       style, variation, locale, null, false);
+                       style, variation, locale, null, false, updateCache);
 
                String realPath = absolutePath;
                if (resourceStream instanceof IFixedLocationResourceStream)
@@ -855,4 +855,5 @@ public class PackageResource extends AbstractResource 
implements IStaticCacheabl
                this.readBuffered = readBuffered;
                return this;
        }
+
 }
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResourceReference.java
 
b/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResourceReference.java
index 67634e10da..83014337b5 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResourceReference.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResourceReference.java
@@ -18,6 +18,7 @@ package org.apache.wicket.request.resource;
 
 import static 
org.apache.wicket.util.resource.ResourceUtils.MIN_POSTFIX_DEFAULT_AS_EXTENSION;
 
+import java.io.IOException;
 import java.util.Locale;
 import java.util.concurrent.ConcurrentMap;
 
@@ -123,11 +124,41 @@ public class PackageResourceReference extends 
ResourceReference
                        urlAttributes = 
ResourceUtil.decodeResourceReferenceAttributes(url);
                }
 
-               final String currentVariation = 
getCurrentVariation(urlAttributes);
-               final String currentStyle = getCurrentStyle(urlAttributes);
-               final Locale currentLocale = getCurrentLocale(urlAttributes);
-               final Class<?> scope = getScope();
-               final String name = getName();
+               String currentVariation = getCurrentVariation(urlAttributes);
+               String currentStyle = getCurrentStyle(urlAttributes);
+               Locale currentLocale = getCurrentLocale(urlAttributes);
+               Class<?> scope = getScope();
+               String name = getName();
+
+               if (urlAttributes != null) // sanitize
+               {
+                       PackageResource urlResource = new 
PackageResource(scope, name, currentLocale,
+                               currentStyle, currentVariation);
+                       urlResource.setCachingEnabled(false);
+                       IResourceStream filesystemMatch = 
urlResource.getResourceStream();
+
+                       ResourceReference.Key urlKey = new 
ResourceReference.Key(scope.getName(), name,
+                               currentLocale, currentStyle, currentVariation);
+
+                       ResourceReference.Key filesystemKey = new 
ResourceReference.Key(scope.getName(), name,
+                               filesystemMatch.getLocale(), 
filesystemMatch.getStyle(),
+                               filesystemMatch.getVariation());
+
+                       if (!urlKey.equals(filesystemKey))
+                       {
+                               currentLocale = filesystemKey.getLocale();
+                               currentStyle = filesystemKey.getStyle();
+                               currentVariation = filesystemKey.getVariation();
+                       }
+                       try
+                       {
+                               filesystemMatch.close();
+                       }
+                       catch (IOException e)
+                       {
+                               log.error("failed to close", e);
+                       }
+               }
 
                if (CSS_EXTENSION.equals(extension))
                {

Reply via email to