Fix #29 Service accepts excess slashes

ComLock · ComLock · commit dd6d5d7f2399 · 2024-09-25T15:35:34.000+02:00
diff --git a/src/bun/features/assetService.feature b/src/bun/features/assetService.feature
@@ -2,6 +2,7 @@ Feature: asset service
 
 Background: State is reset before each test
   Given the request is reset
+  Given loglevel is set to "silent"
 
 Scenario: Responds with 200 ok when resource found
   Given enonic is running in production mode
@@ -33,6 +34,126 @@ Scenario: Responds with 200 ok when resource found
     | etag          | "etag-index-css"                    |
     | cache-control | public, max-age=31536000, immutable |
 
+Scenario: Should return 404 when rawPath is serviceroot
+  Given enonic is running in production mode
+  Given the following resources:
+    | path    | exist |
+    | /assets | false |
+  Given the following request:
+    | property    | value                                                                                    |
+    | branch      | master                                                                                   |
+    | contextPath | /webapp/com.example.myproject/_/service/com.example.myproject/asset                      |
+    | host        | localhost                                                                                |
+    | method      | GET                                                                                      |
+    | mode        | live                                                                                     |
+    | port        | 8080                                                                                     |
+    | rawPath     | /webapp/com.example.myproject/_/service/com.example.myproject/asset                      |
+    | scheme      | http                                                                                     |
+    | url         | http://localhost:8080/webapp/com.example.myproject/_/service/com.example.myproject/asset |
+  # Then log info the request
+  # Given loglevel is set to "debug"
+  When the request is sent
+  # Then log info the response
+  Then the response should have the following properties:
+    | property    | value |
+    | status      | 404   |
+
+Scenario: Should return 404 when rawPath is serviceroot + /
+  Given enonic is running in production mode
+  Given the following resources:
+    | path    | exist |
+    | /assets | false |
+  Given the following request:
+    | property    | value                                                                                    |
+    | branch      | master                                                                                   |
+    | contextPath | /webapp/com.example.myproject/_/service/com.example.myproject/asset                      |
+    | host        | localhost                                                                                |
+    | method      | GET                                                                                      |
+    | mode        | live                                                                                     |
+    | port        | 8080                                                                                     |
+    | rawPath     | /webapp/com.example.myproject/_/service/com.example.myproject/asset/                     |
+    | scheme      | http                                                                                     |
+    | url         | http://localhost:8080/webapp/com.example.myproject/_/service/com.example.myproject/asset |
+  # Then log info the request
+  # Given loglevel is set to "debug"
+  When the request is sent
+  # Then log info the response
+  Then the response should have the following properties:
+    | property    | value |
+    | status      | 404   |
+
+Scenario: Should return 404 when rawPath is serviceroot + fingerprint
+  Given enonic is running in production mode
+  Given the following resources:
+    | path    | exist |
+    | /assets | false |
+  Given the following request:
+    | property    | value                                                                                                     |
+    | branch      | master                                                                                                    |
+    | contextPath | /webapp/com.example.myproject/_/service/com.example.myproject/asset                                       |
+    | host        | localhost                                                                                                 |
+    | method      | GET                                                                                                       |
+    | mode        | live                                                                                                      |
+    | port        | 8080                                                                                                      |
+    | rawPath     | /webapp/com.example.myproject/_/service/com.example.myproject/asset/1234567890123456                      |
+    | scheme      | http                                                                                                      |
+    | url         | http://localhost:8080/webapp/com.example.myproject/_/service/com.example.myproject/asset/1234567890123456 |
+  # Then log info the request
+  # Given loglevel is set to "debug"
+  When the request is sent
+  # Then log info the response
+  Then the response should have the following properties:
+    | property    | value |
+    | status      | 404   |
+
+Scenario: Should return 404 when rawPath is serviceroot + fingerprint + /
+  Given enonic is running in production mode
+  Given the following resources:
+    | path    | exist |
+    | /assets | false |
+  Given the following request:
+    | property    | value                                                                                                     |
+    | branch      | master                                                                                                    |
+    | contextPath | /webapp/com.example.myproject/_/service/com.example.myproject/asset                                       |
+    | host        | localhost                                                                                                 |
+    | method      | GET                                                                                                       |
+    | mode        | live                                                                                                      |
+    | port        | 8080                                                                                                      |
+    | rawPath     | /webapp/com.example.myproject/_/service/com.example.myproject/asset/1234567890123456/                     |
+    | scheme      | http                                                                                                      |
+    | url         | http://localhost:8080/webapp/com.example.myproject/_/service/com.example.myproject/asset/1234567890123456 |
+  # Then log info the request
+  # Given loglevel is set to "debug"
+  When the request is sent
+  # Then log info the response
+  Then the response should have the following properties:
+    | property    | value |
+    | status      | 404   |
+
+Scenario: Should return 404 when excess slashes
+  Given enonic is running in production mode
+  Given the following resources:
+    | path                | exist |
+    | /assets///index.css | false |
+  Given the following request:
+    | property    | value                                                                                                               |
+    | branch      | master                                                                                                              |
+    | contextPath | /webapp/com.example.myproject/_/service/com.example.myproject/asset                                                 |
+    | host        | localhost                                                                                                           |
+    | method      | GET                                                                                                                 |
+    | mode        | live                                                                                                                |
+    | port        | 8080                                                                                                                |
+    | rawPath     | /webapp/com.example.myproject/_/service/com.example.myproject/asset/1234567890123456///index.css                    |
+    | scheme      | http                                                                                                                |
+    | url         | http://localhost:8080/webapp/com.example.myproject/_/service/com.example.myproject/asset/1234567890123456/index.css |
+  # Then log info the request
+  # Given loglevel is set to "debug"
+  When the request is sent
+  # Then log info the response
+  Then the response should have the following properties:
+    | property    | value |
+    | status      | 404   |
+
 Scenario: prefers brotli even though it comes last and have lowest qvalue weight
   Given enonic is running in production mode
   Given the following resources:
diff --git a/src/main/resources/lib/enonic/asset/resource/path/getAbsoluteResourcePathWithoutTrailingSlash.ts b/src/main/resources/lib/enonic/asset/resource/path/getAbsoluteResourcePathWithoutTrailingSlash.ts
diff --git a/src/main/resources/lib/enonic/asset/resource/path/prefixWithRoot.ts b/src/main/resources/lib/enonic/asset/resource/path/prefixWithRoot.ts
@@ -5,7 +5,7 @@ export function prefixWithRoot({
   root = GETTER_ROOT,
   path,
 }: {
-  path: string,
+  path: string, // Can be empty string, or just a slash, or a full path starting with a slash
   root?: string
 }): string {
   // NOTE: For security reasons it's very important that GETTER_ROOT is the root
@@ -15,7 +15,7 @@ export function prefixWithRoot({
     log.error(errorMessage);
     throw new Error(errorMessage);
   }
-  return `/${root}/${path}`
-    .replace(/\/\/+/g, '/') // Replace multiple slashes with a single slash
+  const slashRoot = root.startsWith('/') ? root : `/${root}`;
+  return `${slashRoot}${path}`
     .replace(/\/$/, ''); // Remove trailing slash
 }
diff --git a/src/main/resources/services/asset/requestHandler.ts b/src/main/resources/services/asset/requestHandler.ts
@@ -20,7 +20,6 @@ import {read} from '../../lib/enonic/asset/etagReader';
 import {getMimeType} from '../../lib/enonic/asset/io';
 import {getLowerCasedHeaders} from '../../lib/enonic/asset/request/getLowerCasedHeaders';
 import {checkPath} from '../../lib/enonic/asset/resource/path/checkPath';
-// import {getAbsoluteResourcePathWithoutTrailingSlash} from '../../lib/enonic/asset/resource/path/getAbsoluteResourcePathWithoutTrailingSlash';
 import {prefixWithRoot} from '../../lib/enonic/asset/resource/path/prefixWithRoot';
 import {getRelativeResourcePath} from '../../lib/enonic/asset/resource/path/getRelativeResourcePath';
 import {getRootFromPath} from '../../lib/enonic/asset/resource/path/getRootFromPath';
@@ -68,6 +67,7 @@ export function requestHandler({
     log.debug('relPath "%s"', relPath);
 
     const rootPath = getRootFromPath(relPath);
+    log.debug('rootPath "%s"', rootPath);
 
     if (cacheBust) {
       if (rootPath === fingerprint) {
@@ -95,10 +95,7 @@ export function requestHandler({
     const root = configuredRoot();
     log.debug('root "%s"', root);
 
-    // const absResourcePathWithoutTrailingSlash = getAbsoluteResourcePathWithoutTrailingSlash({
-    //   request,
-    //   root
-    // });
+    log.debug('relPath2 "%s"', relPath);
     const absResourcePathWithoutTrailingSlash: string = prefixWithRoot({
       path: relPath,
       root,
