Re: Tapestry exposes the list of css/js files in assets

Thu, 16 Jan 2020 01:43:37 -0800 

Hi,

I wasn't aware of it, thanks for bringing it up.

>From what I found in code, AssetsModule contributes three asset protection
rules: for .xml, .class, and .properties files:

public static void contributeClasspathAssetProtectionRule(
        OrderedConfiguration<ClasspathAssetProtectionRule> configuration)
{
    ClasspathAssetProtectionRule classFileRule = (s) ->
s.toLowerCase().endsWith(".class");
    configuration.add("ClassFile", classFileRule);
    ClasspathAssetProtectionRule propertiesFileRule = (s) ->
s.toLowerCase().endsWith(".properties");
    configuration.add("PropertiesFile", propertiesFileRule);
    ClasspathAssetProtectionRule xmlFileRule = (s) ->
s.toLowerCase().endsWith(".xml");
    configuration.add("XMLFile", xmlFileRule);
}

So as a possible workaround you could contribute another rule that vetoes
asset requests that have no file extension (or end with forward slash),
which should cover directory entries.

On Thu, Jan 16, 2020 at 12:22 PM Nicolas Bouillon <nico...@bouillon.net>
wrote:

> Hi all,
>
> Following a pen-test of our application, it has been raised that the
> list of assets if visible as a directory listing.
>
> For example, we have a javascript file available at this location
> /assets/meta/z58f7f3d4/javascript/library.js but when we access
> /assets/meta/z58f7f3d4/javascript/ the web server lists all files
> available in META-INF.assets.javascript directory of the project.
>
> Do you know how to prevent this listing?
>
> Looks like to me it's happening in
>
> org.apache.tapestry5.internal.services.assets.ClasspathAssetRequestHandler#handleAssetRequest
> and then in
> org.apache.tapestry5.internal.services.ResourceStreamerImpl#streamResource(org.apache.tapestry5.ioc.Resource,
> org.apache.tapestry5.services.assets.StreamableResource,
> java.lang.String,
>
> java.util.Set<org.apache.tapestry5.internal.services.ResourceStreamer.Options>)
>
> Thank you,
> Nicolas.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>

-- 
Dmitry Gusev

AnjLab Team
http://anjlab.com

Reply via email to