Hi,
Thank you for the quick reply, I've added the following rule in my AppModule.
@Contribute(ClasspathAssetProtectionRule.class)
public static void contributeClasspathAssetProtectionRule(
OrderedConfiguration<ClasspathAssetProtectionRule> configuration)
{
ClasspathAssetProtectionRule fileWithDot = (s) ->
!s.toLowerCase().matches(".*\\.[^/]+");
configuration.add("DirectoryListing", fileWithDot);
}
Note that the directory listing is displayed even without any ending
forwarding slash. Then I've forced the requested file name to end with
a . followed by some chars (anything but a forward slash).
I wonder if that configuration should be put by default, or activable
using a configuration switch described in
https://tapestry.apache.org/security.html
Thank you again.
Nicolas.
Le jeu. 16 janv. 2020 à 10:43, Dmitry Gusev <dmitry.gu...@gmail.com> a écrit :
>
> Hi,
>
> I wasn't aware of it, thanks for bringing it up.
>
> From what I found in code, AssetsModule contributes three asset protection
> rules: for .xml, .class, and .properties files:
>
> public static void contributeClasspathAssetProtectionRule(
> OrderedConfiguration<ClasspathAssetProtectionRule> configuration)
> {
> ClasspathAssetProtectionRule classFileRule = (s) ->
> s.toLowerCase().endsWith(".class");
> configuration.add("ClassFile", classFileRule);
> ClasspathAssetProtectionRule propertiesFileRule = (s) ->
> s.toLowerCase().endsWith(".properties");
> configuration.add("PropertiesFile", propertiesFileRule);
> ClasspathAssetProtectionRule xmlFileRule = (s) ->
> s.toLowerCase().endsWith(".xml");
> configuration.add("XMLFile", xmlFileRule);
> }
>
> So as a possible workaround you could contribute another rule that vetoes
> asset requests that have no file extension (or end with forward slash),
> which should cover directory entries.
>
> On Thu, Jan 16, 2020 at 12:22 PM Nicolas Bouillon <nico...@bouillon.net>
> wrote:
>
> > Hi all,
> >
> > Following a pen-test of our application, it has been raised that the
> > list of assets if visible as a directory listing.
> >
> > For example, we have a javascript file available at this location
> > /assets/meta/z58f7f3d4/javascript/library.js but when we access
> > /assets/meta/z58f7f3d4/javascript/ the web server lists all files
> > available in META-INF.assets.javascript directory of the project.
> >
> > Do you know how to prevent this listing?
> >
> > Looks like to me it's happening in
> >
> > org.apache.tapestry5.internal.services.assets.ClasspathAssetRequestHandler#handleAssetRequest
> > and then in
> > org.apache.tapestry5.internal.services.ResourceStreamerImpl#streamResource(org.apache.tapestry5.ioc.Resource,
> > org.apache.tapestry5.services.assets.StreamableResource,
> > java.lang.String,
> >
> > java.util.Set<org.apache.tapestry5.internal.services.ResourceStreamer.Options>)
> >
> > Thank you,
> > Nicolas.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> > For additional commands, e-mail: users-h...@tapestry.apache.org
> >
> >
>
> --
> Dmitry Gusev
>
> AnjLab Team
> http://anjlab.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
