commit 5589ece8c31eeca7ebb127cf7a266af4fcf28c74
author Daniil Kirilyuk <daniel.kirilyuk@gmail.com> Fri Jul 29 10:11:46 2022 +0200
committer GitHub <noreply@github.com> Fri Jul 29 10:11:46 2022 +0200
tree 84d0aac5a504d0a5ac5f11c30a4262868a9ea20a
parent 802ddfa14d5e88781bf52a6528368ea35178d166

QPID-8594: [Broker-J] File Disclosure in management-http plugin (#136)

broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RewriteRequestForUncompressedJavascript.java

diff --git a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RewriteRequestForUncompressedJavascript.java b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RewriteRequestForUncompressedJavascript.java
index 155a6af..f9280d6 100644
--- a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RewriteRequestForUncompressedJavascript.java
+++ b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RewriteRequestForUncompressedJavascript.java
@@ -22,27 +22,23 @@
 package org.apache.qpid.server.management.plugin.filter;
 
 import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 
-import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
-import org.apache.qpid.server.management.plugin.HttpManagementUtil;
-import org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator;
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.plugin.QpidServiceLoader;
-
+/**
+ * Filter is active when context variable "qpid.httpManagement.serveUncompressedDojo" has value true.
+ *
+ * It redirects request from regular dojo file to uncompressed dojo file,
+ * e.g. /dojo/dojo.js => /dojo/dojo.js.uncompressed.js
+ *
+ * Is used mostly for debug purposes.
+ */
 public class RewriteRequestForUncompressedJavascript implements Filter
 {
 
@@ -54,27 +50,25 @@
     {
     }
 
-
     @Override
     public void destroy()
     {
     }
 
     @Override
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
-            ServletException
+    public void doFilter(final ServletRequest request,
+                         final ServletResponse response,
+                         final FilterChain chain) throws IOException, ServletException
     {
-
         final String requestURI = ((HttpServletRequest) request).getRequestURI();
-        if (requestURI.endsWith(JS_SUFFIX) && !requestURI.endsWith(UNCOMPRESSED_JS_SUFFIX))
+        if (requestURI.endsWith(JS_SUFFIX) && !requestURI.endsWith(UNCOMPRESSED_JS_SUFFIX) && !requestURI.contains("../"))
         {
-            final String replacementRequestURI = requestURI + UNCOMPRESSED_JS_SUFFIX;
-            request.getRequestDispatcher(replacementRequestURI).forward(request, response);
+            final String uncompressedJsUri = requestURI + UNCOMPRESSED_JS_SUFFIX;
+            request.getRequestDispatcher(uncompressedJsUri).forward(request, response);
         }
         else
         {
             chain.doFilter(request, response);
         }
     }
-
 }