Skip to content

Commit

Permalink
update HttpRequestHandler#handlerResources
Browse files Browse the repository at this point in the history
  • Loading branch information
@flzj-kl
flzj-kl committed Oct 16, 2024
1 parent 93030de commit 7d8cad9
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 49 deletions.
3 changes: 0 additions & 3 deletions .../src/main/java/com/alibaba/arthas/nat/agent/server/server/NativeAgentServerBootstrap.java
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
package com.alibaba.arthas.nat.agent.server.server;

import com.alibaba.arthas.nat.agent.common.utils.WelcomeUtil;
import com.alibaba.arthas.nat.agent.server.cluster.NativeAgentDiscovery;
import com.alibaba.arthas.nat.agent.server.cluster.NativeAgentDiscoveryFactory;
import com.alibaba.arthas.nat.agent.server.cluster.ZookeeperNativeAgentDiscovery;
import com.alibaba.arthas.nat.agent.server.server.http.HttpRequestHandler;
import com.taobao.arthas.common.ArthasConstants;
import com.taobao.middleware.cli.CLI;
Expand Down
116 changes: 70 additions & 46 deletions ...r/src/main/java/com/alibaba/arthas/nat/agent/server/server/http/HttpResourcesHandler.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@

import java.io.IOException;
import java.io.InputStream;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;

/**
* @description: HttpResourcesHandler
Expand All @@ -17,61 +20,82 @@
public class HttpResourcesHandler {

private static final Logger logger = LoggerFactory.getLogger(HttpResourcesHandler.class);
private static final String RESOURCES_BASE_PATH = "native-agent/";
private static final Set<String> ALLOWED_EXTENSIONS;

private static final String RESOURCES_PATH = "native-agent";
public FullHttpResponse handlerResources (FullHttpRequest request, String path) {
FullHttpResponse resp = null;
if (path.contains(".html") || path.contains(".css") || path.contains(".js") || path.contains(".ico") || path.contains(".png")) {
if (path.contains("?")) {
path = path.split("\\?")[0];
static {
Set<String> tempSet = new HashSet<>();
tempSet.add(".html");
tempSet.add(".css");
tempSet.add(".js");
tempSet.add(".ico");
tempSet.add(".png");
ALLOWED_EXTENSIONS = Collections.unmodifiableSet(tempSet);
}

public FullHttpResponse handlerResources(FullHttpRequest request, String path) {
try {
if (request == null || path == null) {
return null;
}
String normalizedPath = normalizePath(path);
if (normalizedPath == null) {
return null;
}
InputStream is = getClass().getClassLoader().getResourceAsStream(RESOURCES_PATH + path);
if (is != null) {
try {
ByteBuf content = readInputStream(is);
FullHttpResponse response = new DefaultFullHttpResponse(request.getProtocolVersion(), HttpResponseStatus.OK, content);
HttpHeaders headers = response.headers();
headers.set(HttpHeaderNames.CONTENT_TYPE, getContentType(path));
headers.set(HttpHeaderNames.CONTENT_LENGTH, content.readableBytes());
headers.set(HttpHeaderNames.CONNECTION, HttpHeaderValues.KEEP_ALIVE);
resp = response;
} catch (IOException e) {
logger.error("find resources error:" + e.getMessage());
resp = new DefaultFullHttpResponse(request.getProtocolVersion(), HttpResponseStatus.NOT_FOUND);
resp.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/html; charset=utf-8");
} finally {
if (is != null) {
try {
is.close();
} catch (IOException e) {
throw new RuntimeException(e);
}
}
try (InputStream is = getClass().getClassLoader().getResourceAsStream(normalizedPath)) {

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.
if (is == null) {
return null;
}

ByteBuf content = readInputStream(is);
FullHttpResponse response = new DefaultFullHttpResponse(
request.protocolVersion(), HttpResponseStatus.OK, content);

HttpHeaders headers = response.headers();
headers.set(HttpHeaderNames.CONTENT_TYPE, getContentType(normalizedPath));
headers.setInt(HttpHeaderNames.CONTENT_LENGTH, content.readableBytes());
headers.set(HttpHeaderNames.CONNECTION, HttpHeaderValues.KEEP_ALIVE);

return response;
}
} catch (Exception e) {
logger.error("");
return null;
}
return resp;
}

private String normalizePath(String path) {
if (path == null) {
return null;
}

path = path.replaceAll("\\.\\./", "").replaceAll("\\./", "");


private String getContentType(String fileName) {
if (fileName.endsWith(".htm") || fileName.endsWith(".html")) {
return "text/html";
} else if (fileName.endsWith(".css")) {
return "text/css";
} else if (fileName.endsWith(".js")) {
return "application/javascript";
} else if (fileName.endsWith(".jpg") || fileName.endsWith(".jpeg")) {
return "image/jpeg";
} else if (fileName.endsWith(".png")) {
return "image/png";
} else if (fileName.endsWith(".gif")) {
return "image/gif";
} else if (fileName.endsWith(".json")) {
return "application/json";
} else {
return "application/octet-stream";
path = path.startsWith("/") ? path : "/" + path;


path = path.endsWith("/") ? path.substring(0, path.length() - 1) : path;


String finalPath = path;
boolean hasAllowedExtension = ALLOWED_EXTENSIONS.stream()
.anyMatch(finalPath::endsWith);

if (!hasAllowedExtension) {
return null;
}

return RESOURCES_BASE_PATH + path;
}

private String getContentType(String path) {
if (path.endsWith(".html")) return "text/html";
if (path.endsWith(".css")) return "text/css";
if (path.endsWith(".js")) return "application/javascript";
if (path.endsWith(".ico")) return "image/x-icon";
if (path.endsWith(".png")) return "image/png";
return "application/octet-stream";
}

private ByteBuf readInputStream(InputStream is) throws IOException {
Expand Down

0 comments on commit 7d8cad9

Please sign in to comment.