Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SymlinkAllowedResourceAliasChecker is initialized after checkAlias is called resulting that access to resource is denied #8296

Closed
jlindman opened this issue Jul 13, 2022 · 2 comments
Closed

SymlinkAllowedResourceAliasChecker is initialized after checkAlias is called resulting that access to resource is denied #8296

jlindman opened this issue Jul 13, 2022 · 2 comments
Assignees
@lachlan-roberts
Projects
Jetty 10.0.12 / 11.0.12

Comments

@jlindman
Copy link

Jetty version(s)

11.0.8-11.0.11

Java version/vendor (use: java -version)

openjdk version "17.0.3" 2022-04-19

OS type/version

Ubuntu 20.04.4 LTS

Description

I have a JAX-WS application that reads the configuration file /WEB-INF/sun-jaxws.xml.

When the WEB-INF directory is inside a directory that is a symlink the sun-jaxws.xml file cannot be retrieved since is not allowed because the WEB-INF directory is protected.

This results in the following error:

SEVERE: WSSERVLET11: failed to parse runtime descriptor: jakarta.xml.ws.WebServiceException: Runtime descriptor "/WEB-INF/sun-jaxws.xml" is missing

Adding below works with Jetty 11.0.7 (where webapp is a symlink):

ContextHandler linkHandler = new ContextHandler();
linkHandler.setResourceBase("webapp");
webapp.addAliasCheck(new SymlinkAllowedResourceAliasChecker(linkHandler));

However, with Jetty 11.0.8 this stopped working. It looks like the initialization of the AllowedResourceAliasChecker is now done too late(?). The resource base seems to be null when aliasCheck is made.

With 11.0.8 the resource base is null for the SymlinkAllowedResourceAliasChecker objects (which was not the case for 11.0.7).

In ContentHandler.checkAlias():1967

getAliasChecks() ->
 result = {Collections$UnmodifiableRandomAccessList@7090}  size = 2
  0 = {SymlinkAllowedResourceAliasChecker@3192} "SymlinkAllowedResourceAliasChecker@54f6b629{base=null,protected=[/META-INF, /WEB-INF]}"
  1 = {SymlinkAllowedResourceAliasChecker@3827} "SymlinkAllowedResourceAliasChecker@4bc9ca97{base=null,protected=[]}"

Stacktrace:

checkAlias:1967, ContextHandler (org.eclipse.jetty.server.handler)
getResource:1941, ContextHandler (org.eclipse.jetty.server.handler)
getResource:411, WebAppContext (org.eclipse.jetty.webapp)
getResource:1445, WebAppContext$Context (org.eclipse.jetty.webapp)
parseAdaptersAndCreateDelegate:93, WSServletContextListener (com.sun.xml.ws.transport.http.servlet)
contextInitialized:122, WSServletContextListener (com.sun.xml.ws.transport.http.servlet)
callContextInitialized:1040, ContextHandler (org.eclipse.jetty.server.handler)
callContextInitialized:624, ServletContextHandler (org.eclipse.jetty.servlet)
contextInitialized:977, ContextHandler (org.eclipse.jetty.server.handler)
initialize:705, ServletHandler (org.eclipse.jetty.servlet)
startContext:392, ServletContextHandler (org.eclipse.jetty.servlet)
startContext:1305, WebAppContext (org.eclipse.jetty.webapp)
doStart:896, ContextHandler (org.eclipse.jetty.server.handler)
doStart:306, ServletContextHandler (org.eclipse.jetty.servlet)
doStart:533, WebAppContext (org.eclipse.jetty.webapp)
start:93, AbstractLifeCycle (org.eclipse.jetty.util.component)
start:171, ContainerLifeCycle (org.eclipse.jetty.util.component)
start:469, Server (org.eclipse.jetty.server)
doStart:114, ContainerLifeCycle (org.eclipse.jetty.util.component)
doStart:89, AbstractHandler (org.eclipse.jetty.server.handler)
doStart:414, Server (org.eclipse.jetty.server)
start:93, AbstractLifeCycle (org.eclipse.jetty.util.component)
main:26, TestServer

This can possibly be related to #8259

Here is a sample maven application that reproduces the behavior: symlinktest.tar.gz
@lachlan-roberts
Copy link
Contributor

@jlindman thanks for the reproducer.

I think what you are doing by adding an alias checker for the link handler onto your webapp is wrong.
webapp.addAliasCheck(new SymlinkAllowedResourceAliasChecker(linkHandler));
Why are you creating the link handler?

This is related to the recent rework of the alias checkers into AllowedResourceAliasChecker. I can see two reasons in Jetty why this isn't currently working for this use case:

  1. The AllowedResourceAliasChecker now waits until lifeCycleStarted before it extracts the base resource, as the base resource can still change until ContextHandler is fully started. And this code is getting a resource before the ContextHandler is fully started.
  2. The resource it is trying to access is /WEB-INF/sun-jaxws.xml and SymlinkAllowedResourceAliasChecker would normally see this to be in a protected directory (if the protected target /WEB-INF is defined) and therefore does not allow the alias.

I would have expected the alias checkers would not be applied for explicit calls to the getResource api and only needed through default servlet and resource handler. So we will need to review this.

@lachlan-roberts lachlan-roberts added this to To do in Jetty 10.0.12 / 11.0.12 via automation Jul 18, 2022
@lachlan-roberts lachlan-roberts self-assigned this Jul 18, 2022
lachlan-roberts added a commit that referenced this issue Jul 18, 2022
@lachlan-roberts
Issue #8296 - add test for issue 8296
5f246ae 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit that referenced this issue Jul 18, 2022
@lachlan-roberts
Issue #8296 - let AllowedResourceAliasChecker work before fully started
23df34e 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts mentioned this issue Jul 18, 2022
Merged
lachlan-roberts added a commit that referenced this issue Jul 21, 2022
@lachlan-roberts
Issue #8296 - attempt to resolve symlinks for baseResource in Context…
cff4ff6 
…Handler.doStart()

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit that referenced this issue Aug 8, 2022
@lachlan-roberts
Merge pull request #8315 from eclipse/jetty-10.0.x-8296-AliasChecking
998bc8c 
Issue #8296 and #8259 -  AllowedResourceAliasChecker improvements
@lachlan-roberts
Copy link
Contributor

There are fixes for this merged with PR #8315, this will be available in a 10.0.12/11.0.12 release.

Jetty 10.0.12 / 11.0.12 automation moved this from To do to Done Aug 10, 2022
@sjorek sjorek mentioned this issue Jan 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lachlan-roberts lachlan-roberts

Labels
None yet
Projects
No open projects
Jetty 10.0.12 / 11.0.12
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jlindman @lachlan-roberts