diff --git a/src/main/java/de/igslandstuhl/database/server/Server.java b/src/main/java/de/igslandstuhl/database/server/Server.java index 0a08e8e..a4b2f98 100644 --- a/src/main/java/de/igslandstuhl/database/server/Server.java +++ b/src/main/java/de/igslandstuhl/database/server/Server.java @@ -19,6 +19,7 @@ import de.igslandstuhl.database.api.Subject; import de.igslandstuhl.database.api.Teacher; import de.igslandstuhl.database.api.User; +import de.igslandstuhl.database.server.resources.ResourceManager; import de.igslandstuhl.database.server.sql.SQLHelper; import de.igslandstuhl.database.server.sql.SQLiteConnection; @@ -72,6 +73,17 @@ public SQLiteConnection getConnection() { public WebServer getWebServer() { return webServer; } + /** + * The resource manager for this server + */ + private final ResourceManager resourceManager = new ResourceManager(); + /** + * Returns the resource manager used by this server + * @return the resource manager + */ + public ResourceManager getResourceManager() { + return resourceManager; + } /** * Private constructor to initialize the server instance. diff --git a/src/main/java/de/igslandstuhl/database/server/resources/ResourceLocation.java b/src/main/java/de/igslandstuhl/database/server/resources/ResourceLocation.java index 657a0f7..6c93f1b 100644 --- a/src/main/java/de/igslandstuhl/database/server/resources/ResourceLocation.java +++ b/src/main/java/de/igslandstuhl/database/server/resources/ResourceLocation.java @@ -1,5 +1,9 @@ package de.igslandstuhl.database.server.resources; +import java.io.File; +import java.nio.file.Path; +import java.util.regex.Matcher; + /** * Represents a resource location with context, namespace, and resource name. * This class is used to identify resources in the application. @@ -30,4 +34,27 @@ public static ResourceLocation get(String context, String resourceID) { public boolean isVirtual() { return context.equals("virtual"); } + public static ResourceLocation fromPath(Path path) { + Path relativePath; + try { + relativePath = Path.of(".").relativize(path); + } catch (IllegalArgumentException e) { + relativePath = path; + } + String rel = relativePath.toString(); + while (rel.startsWith(".") || rel.startsWith(File.separator)) { + rel = rel.substring(1); + } + return fromRelativePath(rel); + } + public static ResourceLocation fromPath(String path) { + return fromPath(Path.of(path)); + } + public static ResourceLocation fromRelativePath(String relativePath) { + String[] parts = relativePath.split(Matcher.quoteReplacement(File.separator)); + if (parts.length != 3) { + return null; + } + return new ResourceLocation(parts[0], parts[1], parts[2]); + } } diff --git a/src/main/java/de/igslandstuhl/database/server/resources/ResourceHelper.java b/src/main/java/de/igslandstuhl/database/server/resources/ResourceManager.java similarity index 67% rename from src/main/java/de/igslandstuhl/database/server/resources/ResourceHelper.java rename to src/main/java/de/igslandstuhl/database/server/resources/ResourceManager.java index bfaf82e..7b2501e 100644 --- a/src/main/java/de/igslandstuhl/database/server/resources/ResourceHelper.java +++ b/src/main/java/de/igslandstuhl/database/server/resources/ResourceManager.java @@ -1,13 +1,12 @@ package de.igslandstuhl.database.server.resources; import java.io.BufferedReader; -import java.io.File; -import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; import java.nio.file.NoSuchFileException; import java.nio.file.Path; import java.nio.file.Paths; @@ -30,30 +29,18 @@ import de.igslandstuhl.database.server.Server; /** - * Helper class for managing resources in the application. + * Manages Resources in the application */ -public class ResourceHelper { - +public class ResourceManager { /** - * Checks if a zip entry name is safe (no path traversal, not absolute). + * Checks if a zip entry name is safe (to prevent zip slipping). */ - private static boolean isSafeZipEntryName(String entryName) { - // Reject absolute paths - Path path = Paths.get(entryName).normalize(); - if (path.isAbsolute()) { - return false; - } - // Reject entries containing ".." as a path segment - for (Path part : path) { - if (part.toString().equals("..")) { - return false; - } - } - // Reject entries starting with "/" or "\" - if (entryName.startsWith("/") || entryName.startsWith("\\")) { - return false; - } - return true; + private boolean isSafeZipEntryName(String entryName, Path rootDir) { + // Resolve entry against a fixed root and normalize + Path resolvedPath = rootDir.resolve(entryName).normalize(); + + // Entry is safe if it stays within the root directory + return resolvedPath.startsWith(rootDir); } /** @@ -63,8 +50,8 @@ private static boolean isSafeZipEntryName(String entryName) { * @param pattern the pattern to match * @return the resources in the order they are found */ - public static Collection getResources(final Pattern pattern) { - final ArrayList retval = new ArrayList<>(); + public Collection getResources(final Pattern pattern) { + final ArrayList retval = new ArrayList<>(); final String classPath = System.getProperty("java.class.path", "."); final String[] classPathElements = classPath.split(System.getProperty("path.separator")); for (final String element : classPathElements) { @@ -81,13 +68,13 @@ public static Collection getResources(final Pattern pattern) { * @param pattern the pattern to match * @return the resources in the order they are found */ - private static Collection getResources(final String element, final Pattern pattern) { - final ArrayList retval = new ArrayList<>(); - final File file = new File(element); - if (file.isDirectory()) { - retval.addAll(getResourcesFromDirectory(file, pattern)); + private Collection getResources(final String element, final Pattern pattern) { + final ArrayList retval = new ArrayList<>(); + final Path path = Path.of(element); + if (Files.isDirectory(path)) { + retval.addAll(getResourcesFromDirectory(path, pattern, path)); } else { - retval.addAll(getResourcesFromJarFile(file, pattern)); + retval.addAll(getResourcesFromJarFile(path, pattern)); } return retval; } @@ -95,15 +82,17 @@ private static Collection getResources(final String element, final Patte /** * Get all resources from a jar file or a directory that match the given pattern. * - * @param file the jar file or directory to search in + * @param jarFilePath the jar file or directory to search in * @param pattern the pattern to match * @return the resources in the order they are found */ - private static Collection getResourcesFromJarFile(final File file, final Pattern pattern) { - final ArrayList retval = new ArrayList<>(); + private Collection getResourcesFromJarFile(final Path jarFilePath, final Pattern pattern) { + final ArrayList retval = new ArrayList<>(); + // Virtual root – no real filesystem access needed + final Path virtualRoot = Paths.get("").toAbsolutePath().normalize(); ZipFile zf; try { - zf = new ZipFile(file); + zf = new ZipFile(jarFilePath.toFile()); } catch (final ZipException e) { throw new Error(e); } catch (final NoSuchFileException e) { @@ -115,13 +104,14 @@ private static Collection getResourcesFromJarFile(final File file, final while (e.hasMoreElements()) { final ZipEntry ze = e.nextElement(); final String fileName = ze.getName(); - if (!isSafeZipEntryName(fileName)) { + if (!isSafeZipEntryName(fileName, virtualRoot)) { // Optionally log or throw, here we skip unsafe entries continue; } final boolean accept = pattern.matcher(fileName).matches(); if (accept) { - retval.add(fileName); + ResourceLocation location = ResourceLocation.fromPath(fileName); + if (location != null) retval.add(location); } } try { @@ -139,26 +129,24 @@ private static Collection getResourcesFromJarFile(final File file, final * @param pattern the pattern to match * @return the resources in the order they are found */ - private static Collection getResourcesFromDirectory(final File directory, final Pattern pattern) { - final ArrayList retval = new ArrayList<>(); - final File[] fileList = directory.listFiles(); - if (fileList == null) { - return retval; - } - for (final File file : fileList) { - if (file.isDirectory()) { - retval.addAll(getResourcesFromDirectory(file, pattern)); - } else { - try { - final String fileName = file.getCanonicalPath(); - final boolean accept = pattern.matcher(fileName).matches(); + private Collection getResourcesFromDirectory(final Path directory, final Pattern pattern, final Path toplevelPath) { + final ArrayList retval = new ArrayList<>(); + try { + Files.list(directory).forEach((path) -> { + if (Files.isDirectory(path)) { + retval.addAll(getResourcesFromDirectory(path, pattern, toplevelPath)); + } else { + final Path relativePath = toplevelPath.relativize(path); + final boolean accept = pattern.matcher(relativePath.toString()).matches(); if (accept) { - retval.add(fileName); + ResourceLocation location = ResourceLocation.fromPath(relativePath); + if (location != null) retval.add(location); } - } catch (final IOException e) { - throw new Error(e); } - } + }); + } catch (IOException e) { + e.printStackTrace(); + return retval; } return retval; } @@ -170,21 +158,11 @@ private static Collection getResourcesFromDirectory(final File directory * @param pattern the pattern to match * @return an array of BufferedReaders for the matching resources */ - public static BufferedReader[] openResourcesAsReader(Pattern pattern) { + public BufferedReader[] openResourcesAsReader(Pattern pattern) { List readers = new ArrayList<>(); - for (String resource : getResources(pattern)) { + for (ResourceLocation resource : getResources(pattern)) { try { - File file = new File(resource); - InputStream is; - if (file.exists() && file.isFile()) { - is = new FileInputStream(file); - } else { - is = ResourceHelper.class.getResourceAsStream("/" + resource); - if (is == null) { - throw new FileNotFoundException("Resource " + resource + " not found in classpath or filesystem."); - } - } - readers.add(new BufferedReader(new InputStreamReader(is, StandardCharsets.UTF_8))); + readers.add(new BufferedReader(new InputStreamReader(openResourceAsStream(resource)))); } catch (IOException e) { throw new IllegalStateException(e); } @@ -200,9 +178,9 @@ public static BufferedReader[] openResourcesAsReader(Pattern pattern) { * @return an InputStream for the resource * @throws FileNotFoundException if the resource is not found */ - public static InputStream openResourceAsStream(ResourceLocation location) throws FileNotFoundException { + public InputStream openResourceAsStream(ResourceLocation location) throws FileNotFoundException { String url = "/" + location.context() + "/" + location.namespace() + "/" + location.resource(); - InputStream stream = ResourceHelper.class.getResourceAsStream(url); + InputStream stream = ResourceManager.class.getResourceAsStream(url); if (stream == null) { throw new FileNotFoundException(url + " not found in classpath or resources."); } @@ -217,7 +195,7 @@ public static InputStream openResourceAsStream(ResourceLocation location) throws * @return the content of the resource as a String * @throws FileNotFoundException if the resource is not found */ - public static String readResourceCompletely(ResourceLocation location) throws FileNotFoundException { + public String readResourceCompletely(ResourceLocation location) throws FileNotFoundException { return readResourceCompletely(new BufferedReader(new InputStreamReader(openResourceAsStream(location), StandardCharsets.UTF_8))); } @@ -228,7 +206,7 @@ public static String readResourceCompletely(ResourceLocation location) throws Fi * @param in the BufferedReader to read from * @return the content of the BufferedReader as a String */ - public static String readResourceCompletely(BufferedReader in) { + public String readResourceCompletely(BufferedReader in) { StringBuilder builder = new StringBuilder(); in.lines().forEach((s) -> { builder.append(s); @@ -246,7 +224,7 @@ public static String readResourceCompletely(BufferedReader in) { * @return the content read until an empty line is encountered * @throws IOException if an I/O error occurs */ - public static String readResourceTillEmptyLine(BufferedReader in) throws IOException { + public String readResourceTillEmptyLine(BufferedReader in) throws IOException { StringBuilder builder = new StringBuilder(); Stream lines = in.lines(); for (String line : new Iterable() { @@ -271,7 +249,7 @@ public Iterator iterator() { * @param location the ResourceLocation object representing the virtual resource * @return the content of the virtual resource as a String, or null if not applicable */ - public static String readVirtualResource(String user, ResourceLocation location) { + public String readVirtualResource(String user, ResourceLocation location) { if (!location.isVirtual()) { return null; } else if (location.namespace().equals("sql")) { @@ -281,7 +259,7 @@ public static String readVirtualResource(String user, ResourceLocation location) } } - public static Map readJsonResourceAsMap(ResourceLocation location) throws IOException { + public Map readJsonResourceAsMap(ResourceLocation location) throws IOException { try (BufferedReader in = new BufferedReader(new InputStreamReader(openResourceAsStream(location), StandardCharsets.UTF_8))) { Gson gson = new Gson(); java.lang.reflect.Type mapType = new TypeToken>(){}.getType(); diff --git a/src/main/java/de/igslandstuhl/database/server/sql/SQLHelper.java b/src/main/java/de/igslandstuhl/database/server/sql/SQLHelper.java index 4be82d9..a547b33 100644 --- a/src/main/java/de/igslandstuhl/database/server/sql/SQLHelper.java +++ b/src/main/java/de/igslandstuhl/database/server/sql/SQLHelper.java @@ -5,7 +5,6 @@ import java.sql.SQLException; import de.igslandstuhl.database.server.Server; -import de.igslandstuhl.database.server.resources.ResourceHelper; import de.igslandstuhl.database.server.resources.ResourceLocation; /** @@ -49,7 +48,7 @@ public static String getSQLQuery(String queryName) { ResourceLocation location = new ResourceLocation(CONTEXT, QUERIES, queryName + ".sql"); String query; try { - query = ResourceHelper.readResourceCompletely(location); + query = Server.getInstance().getResourceManager().readResourceCompletely(location); } catch (FileNotFoundException e) { throw new SQLCommandNotFoundException(queryName, e); } @@ -90,7 +89,7 @@ private static String getSQLStatement(String type, String object) { ResourceLocation location = new ResourceLocation(CONTEXT, PUSHES, type + "_" + object + ".sql"); String statement; try { - statement = ResourceHelper.readResourceCompletely(location); + statement = Server.getInstance().getResourceManager().readResourceCompletely(location); } catch (FileNotFoundException e) { throw new SQLCommandNotFoundException(type + "_" + object, e); } diff --git a/src/main/java/de/igslandstuhl/database/server/sql/SQLiteConnection.java b/src/main/java/de/igslandstuhl/database/server/sql/SQLiteConnection.java index 3d94222..a39a389 100644 --- a/src/main/java/de/igslandstuhl/database/server/sql/SQLiteConnection.java +++ b/src/main/java/de/igslandstuhl/database/server/sql/SQLiteConnection.java @@ -10,7 +10,7 @@ import java.sql.Statement; import java.util.regex.Pattern; -import de.igslandstuhl.database.server.resources.ResourceHelper; +import de.igslandstuhl.database.server.Server; import de.igslandstuhl.database.utils.TrackingReadWriteLock; /** @@ -47,9 +47,9 @@ public Connection getSQLConnection() { private void createTables(PreparedStatementSupplier supplier) throws SQLException { lock.writeLock().lock(); try { - for (BufferedReader in : ResourceHelper.openResourcesAsReader(Pattern.compile(".*tables.+\\.sql"))) { + for (BufferedReader in : Server.getInstance().getResourceManager().openResourcesAsReader(Pattern.compile(".*tables.+\\.sql"))) { try (in) { - String request = ResourceHelper.readResourceCompletely(in); + String request = Server.getInstance().getResourceManager().readResourceCompletely(in); supplier.executeUpdate(request); } catch (IOException e) { throw new IllegalStateException(e); diff --git a/src/main/java/de/igslandstuhl/database/server/webserver/AccessManager.java b/src/main/java/de/igslandstuhl/database/server/webserver/AccessManager.java index 02c0b33..cd92e5a 100644 --- a/src/main/java/de/igslandstuhl/database/server/webserver/AccessManager.java +++ b/src/main/java/de/igslandstuhl/database/server/webserver/AccessManager.java @@ -6,7 +6,7 @@ import java.util.Map; import de.igslandstuhl.database.api.User; -import de.igslandstuhl.database.server.resources.ResourceHelper; +import de.igslandstuhl.database.server.Server; import de.igslandstuhl.database.server.resources.ResourceLocation; /** @@ -70,7 +70,7 @@ private AccessManager() { String[] teacherLocations = {}; String[] adminLocations = {"students", "teachers", "classes"}; try { - Map pathData = ResourceHelper.readJsonResourceAsMap(metaLocation); + Map pathData = Server.getInstance().getResourceManager().readJsonResourceAsMap(metaLocation); List publicSpacesList = (List) pathData.get("public_spaces"); List publicLocationsList = (List) pathData.get("public_locations"); List userLocationsList = (List) pathData.get("user_locations"); diff --git a/src/main/java/de/igslandstuhl/database/server/webserver/WebPath.java b/src/main/java/de/igslandstuhl/database/server/webserver/WebPath.java index 24bd102..7e13e61 100644 --- a/src/main/java/de/igslandstuhl/database/server/webserver/WebPath.java +++ b/src/main/java/de/igslandstuhl/database/server/webserver/WebPath.java @@ -5,7 +5,7 @@ import java.util.Map; import de.igslandstuhl.database.Registry; -import de.igslandstuhl.database.server.resources.ResourceHelper; +import de.igslandstuhl.database.server.Server; import de.igslandstuhl.database.server.resources.ResourceLocation; import de.igslandstuhl.database.server.webserver.requests.RequestType; @@ -16,7 +16,7 @@ public static void registerPath(String path, RequestType type, String handlerTyp public static void registerPaths() throws IOException { if (Registry.webPathRegistry().stream().count() > 0) return; // already registered ResourceLocation metaLocation = new ResourceLocation("meta", "paths", "get_paths.json"); - Map pathData = ResourceHelper.readJsonResourceAsMap(metaLocation); + Map pathData = Server.getInstance().getResourceManager().readJsonResourceAsMap(metaLocation); pathData.keySet().forEach((path) -> { @SuppressWarnings("unchecked") Map pathInfo = (Map) pathData.get(path); diff --git a/src/main/java/de/igslandstuhl/database/server/webserver/responses/GetResponse.java b/src/main/java/de/igslandstuhl/database/server/webserver/responses/GetResponse.java index 9658a11..1262092 100644 --- a/src/main/java/de/igslandstuhl/database/server/webserver/responses/GetResponse.java +++ b/src/main/java/de/igslandstuhl/database/server/webserver/responses/GetResponse.java @@ -5,7 +5,6 @@ import java.io.PrintStream; import de.igslandstuhl.database.server.Server; -import de.igslandstuhl.database.server.resources.ResourceHelper; import de.igslandstuhl.database.server.resources.ResourceLocation; import de.igslandstuhl.database.server.webserver.AccessManager; import de.igslandstuhl.database.server.webserver.ContentType; @@ -171,9 +170,9 @@ public void respond(PrintStream out) { String resource = ""; if (resourceLocation != null) { if (!resourceLocation.isVirtual()) { - resource = ResourceHelper.readResourceCompletely(resourceLocation); + resource = Server.getInstance().getResourceManager().readResourceCompletely(resourceLocation); } else { - resource = ResourceHelper.readVirtualResource(user, resourceLocation); + resource = Server.getInstance().getResourceManager().readVirtualResource(user, resourceLocation); if (resource == null) throw new NullPointerException(); } } @@ -182,7 +181,7 @@ public void respond(PrintStream out) { } out.println(resource); } else { - try (InputStream in = ResourceHelper.openResourceAsStream(resourceLocation)) { + try (InputStream in = Server.getInstance().getResourceManager().openResourceAsStream(resourceLocation)) { in.transferTo(out); // Streams bytes directly } } @@ -201,9 +200,9 @@ public void respond(PrintStream out) { public String getResponseBody() throws FileNotFoundException { if (resourceLocation != null) { if (!resourceLocation.isVirtual()) { - return ResourceHelper.readResourceCompletely(resourceLocation); + return Server.getInstance().getResourceManager().readResourceCompletely(resourceLocation); } else { - return ResourceHelper.readVirtualResource(user, resourceLocation); + return Server.getInstance().getResourceManager().readVirtualResource(user, resourceLocation); } } return ""; diff --git a/src/main/java/de/igslandstuhl/database/server/webserver/responses/HttpResponse.java b/src/main/java/de/igslandstuhl/database/server/webserver/responses/HttpResponse.java index 94612c7..b12013e 100644 --- a/src/main/java/de/igslandstuhl/database/server/webserver/responses/HttpResponse.java +++ b/src/main/java/de/igslandstuhl/database/server/webserver/responses/HttpResponse.java @@ -3,7 +3,6 @@ import java.io.PrintStream; import de.igslandstuhl.database.server.Server; -import de.igslandstuhl.database.server.resources.ResourceHelper; import de.igslandstuhl.database.server.resources.ResourceLocation; import de.igslandstuhl.database.server.webserver.ContentType; import de.igslandstuhl.database.server.webserver.Status; @@ -36,13 +35,13 @@ public void respond(PrintStream out) { ResourceLocation resourceLocation = new ResourceLocation("html", "errors", errorStatus.getCode() + ".html"); String resource; try { - resource = ResourceHelper.readResourceCompletely(resourceLocation); + resource = Server.getInstance().getResourceManager().readResourceCompletely(resourceLocation); out.println(resource); } catch (Exception e) { if (errorStatus != Status.INTERNAL_SERVER_ERROR) { resourceLocation = new ResourceLocation("html", "errors", errorStatus.getCode() + ".html"); try { - resource = ResourceHelper.readResourceCompletely(resourceLocation); + resource = Server.getInstance().getResourceManager().readResourceCompletely(resourceLocation); out.println(resource); } catch (Exception e2) { throw new IllegalStateException(e); @@ -81,7 +80,7 @@ public void respond(PrintStream out) { ResourceLocation resourceLocation = new ResourceLocation("html", "errors", errorStatus.getCode() + ".html"); String resource; try { - resource = ResourceHelper.readResourceCompletely(resourceLocation); + resource = Server.getInstance().getResourceManager().readResourceCompletely(resourceLocation); out.println(resource); } catch (Exception e) { throw new IllegalStateException(e); diff --git a/src/main/java/de/igslandstuhl/database/server/webserver/responses/TemplatingPreprocessor.java b/src/main/java/de/igslandstuhl/database/server/webserver/responses/TemplatingPreprocessor.java index 7f144cb..f8f4676 100644 --- a/src/main/java/de/igslandstuhl/database/server/webserver/responses/TemplatingPreprocessor.java +++ b/src/main/java/de/igslandstuhl/database/server/webserver/responses/TemplatingPreprocessor.java @@ -2,12 +2,14 @@ import java.io.FileNotFoundException; import java.io.IOException; +import java.nio.file.Path; +import java.nio.file.Paths; import java.util.HashMap; import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; -import de.igslandstuhl.database.server.resources.ResourceHelper; +import de.igslandstuhl.database.server.Server; import de.igslandstuhl.database.server.resources.ResourceLocation; public class TemplatingPreprocessor { @@ -18,9 +20,20 @@ public static TemplatingPreprocessor getInstance() { private TemplatingPreprocessor() {} + private static String sanitizeTemplateName(String name) { + Path base = Paths.get("templates/html"); + Path resolved = base.resolve(name + ".html").normalize(); + + if (!resolved.startsWith(base)) { + throw new IllegalArgumentException("Invalid template name"); + } + + return resolved.getFileName().toString(); + } + private String getTemplate(String name) throws FileNotFoundException { - ResourceLocation templateLocation = new ResourceLocation("templates", "html", name + ".html"); - return ResourceHelper.readResourceCompletely(templateLocation); + ResourceLocation templateLocation = new ResourceLocation("templates", "html", sanitizeTemplateName(name) + ".html"); + return Server.getInstance().getResourceManager().readResourceCompletely(templateLocation); } public String executeTemplating(String content) throws IOException {