From e0202e205709f1b06b56f7f108b12476860412d4 Mon Sep 17 00:00:00 2001 From: Duarte Meneses Date: Tue, 2 May 2023 13:44:15 -0500 Subject: [PATCH] SONAR-19014 Don't rely on plugin APIs list of static resources --- ...DefaultAdminCredentialsVerifierFilter.java | 4 +- .../authentication/ResetPasswordFilter.java | 4 +- .../UserSessionInitializer.java | 5 +-- .../plugins/PluginsRiskConsentFilter.java | 4 +- .../server/platform/web/WebPagesFilter.java | 7 ++-- .../sonar/api/impl/ws/StaticResources.java | 37 +++++++++++++++++++ .../api/impl/ws/StaticResourcesTest.java | 31 ++++++++++++++++ 7 files changed, 79 insertions(+), 13 deletions(-) create mode 100644 sonar-plugin-api-impl/src/main/java/org/sonar/api/impl/ws/StaticResources.java create mode 100644 sonar-plugin-api-impl/src/test/java/org/sonar/api/impl/ws/StaticResourcesTest.java diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/DefaultAdminCredentialsVerifierFilter.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/DefaultAdminCredentialsVerifierFilter.java index d551292c3b0..49d3906e2a5 100644 --- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/DefaultAdminCredentialsVerifierFilter.java +++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/DefaultAdminCredentialsVerifierFilter.java @@ -22,6 +22,7 @@ package org.sonar.server.authentication; import java.io.IOException; import java.util.Set; import org.sonar.api.config.Configuration; +import org.sonar.api.impl.ws.StaticResources; import org.sonar.api.server.http.HttpRequest; import org.sonar.api.server.http.HttpResponse; import org.sonar.api.web.FilterChain; @@ -29,7 +30,6 @@ import org.sonar.api.web.HttpFilter; import org.sonar.api.web.UrlPattern; import org.sonar.server.user.ThreadLocalUserSession; -import static org.sonar.api.web.UrlPattern.Builder.staticResourcePatterns; import static org.sonar.server.authentication.AuthenticationRedirection.redirectTo; public class DefaultAdminCredentialsVerifierFilter extends HttpFilter { @@ -58,7 +58,7 @@ public class DefaultAdminCredentialsVerifierFilter extends HttpFilter { public UrlPattern doGetPattern() { return UrlPattern.builder() .includes("/*") - .excludes(staticResourcePatterns()) + .excludes(StaticResources.patterns()) .excludes(SKIPPED_URLS) .build(); } diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/ResetPasswordFilter.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/ResetPasswordFilter.java index 68f494d988d..0b254491779 100644 --- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/ResetPasswordFilter.java +++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/ResetPasswordFilter.java @@ -21,6 +21,7 @@ package org.sonar.server.authentication; import java.io.IOException; import java.util.Set; +import org.sonar.api.impl.ws.StaticResources; import org.sonar.api.server.http.HttpRequest; import org.sonar.api.server.http.HttpResponse; import org.sonar.api.web.FilterChain; @@ -28,7 +29,6 @@ import org.sonar.api.web.HttpFilter; import org.sonar.api.web.UrlPattern; import org.sonar.server.user.ThreadLocalUserSession; -import static org.sonar.api.web.UrlPattern.Builder.staticResourcePatterns; import static org.sonar.server.authentication.AuthenticationRedirection.redirectTo; public class ResetPasswordFilter extends HttpFilter { @@ -48,7 +48,7 @@ public class ResetPasswordFilter extends HttpFilter { public UrlPattern doGetPattern() { return UrlPattern.builder() .includes("/*") - .excludes(staticResourcePatterns()) + .excludes(StaticResources.patterns()) .excludes(SKIPPED_URLS) .build(); } diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java index 8a809380a13..ab36616e010 100644 --- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java +++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java @@ -22,6 +22,7 @@ package org.sonar.server.authentication; import java.util.Optional; import java.util.Set; import org.sonar.api.config.Configuration; +import org.sonar.api.impl.ws.StaticResources; import org.sonar.api.server.ServerSide; import org.sonar.api.server.http.HttpRequest; import org.sonar.api.server.http.HttpResponse; @@ -39,7 +40,6 @@ import static org.apache.commons.lang.StringUtils.defaultString; import static org.sonar.api.CoreProperties.CORE_FORCE_AUTHENTICATION_DEFAULT_VALUE; import static org.sonar.api.CoreProperties.CORE_FORCE_AUTHENTICATION_PROPERTY; import static org.sonar.api.utils.DateUtils.formatDateTime; -import static org.sonar.api.web.UrlPattern.Builder.staticResourcePatterns; import static org.sonar.server.authentication.AuthenticationError.handleAuthenticationError; @ServerSide @@ -75,7 +75,7 @@ public class UserSessionInitializer { private static final UrlPattern URL_PATTERN = UrlPattern.builder() .includes("/*") - .excludes(staticResourcePatterns()) + .excludes(StaticResources.patterns()) .excludes(SKIPPED_URLS) .build(); @@ -83,7 +83,6 @@ public class UserSessionInitializer { .includes(URL_USING_PASSCODE) .build(); - private final Configuration config; private final ThreadLocalUserSession threadLocalSession; private final AuthenticationEvent authenticationEvent; diff --git a/server/sonar-webserver-core/src/main/java/org/sonar/server/plugins/PluginsRiskConsentFilter.java b/server/sonar-webserver-core/src/main/java/org/sonar/server/plugins/PluginsRiskConsentFilter.java index 8d7470f2a36..8b625204318 100644 --- a/server/sonar-webserver-core/src/main/java/org/sonar/server/plugins/PluginsRiskConsentFilter.java +++ b/server/sonar-webserver-core/src/main/java/org/sonar/server/plugins/PluginsRiskConsentFilter.java @@ -22,6 +22,7 @@ package org.sonar.server.plugins; import java.io.IOException; import java.util.Set; import org.sonar.api.config.Configuration; +import org.sonar.api.impl.ws.StaticResources; import org.sonar.api.server.http.HttpRequest; import org.sonar.api.server.http.HttpResponse; import org.sonar.api.web.FilterChain; @@ -30,7 +31,6 @@ import org.sonar.api.web.UrlPattern; import org.sonar.core.extension.PluginRiskConsent; import org.sonar.server.user.ThreadLocalUserSession; -import static org.sonar.api.web.UrlPattern.Builder.staticResourcePatterns; import static org.sonar.core.config.CorePropertyDefinitions.PLUGINS_RISK_CONSENT; import static org.sonar.core.extension.PluginRiskConsent.NOT_ACCEPTED; import static org.sonar.core.extension.PluginRiskConsent.REQUIRED; @@ -74,7 +74,7 @@ public class PluginsRiskConsentFilter extends HttpFilter { public UrlPattern doGetPattern() { return UrlPattern.builder() .includes("/*") - .excludes(staticResourcePatterns()) + .excludes(StaticResources.patterns()) .excludes(SKIPPED_URLS) .build(); } diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/WebPagesFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/WebPagesFilter.java index 5e32a354f14..39921faf724 100644 --- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/WebPagesFilter.java +++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/WebPagesFilter.java @@ -36,7 +36,7 @@ import static java.nio.charset.StandardCharsets.UTF_8; import static java.util.Locale.ENGLISH; import static java.util.Objects.requireNonNull; import static org.apache.commons.io.IOUtils.write; -import static org.sonar.api.web.ServletFilter.UrlPattern.Builder.staticResourcePatterns; +import static org.sonar.api.impl.ws.StaticResources.patterns; import static org.sonarqube.ws.MediaTypes.HTML; /** @@ -50,7 +50,7 @@ public class WebPagesFilter implements Filter { private static final ServletFilter.UrlPattern URL_PATTERN = ServletFilter.UrlPattern .builder() - .excludes(staticResourcePatterns()) + .excludes(patterns()) .excludes("/api/v2/*") .build(); @@ -60,8 +60,7 @@ public class WebPagesFilter implements Filter { this(PlatformImpl.getInstance().getContainer().getComponentByType(WebPagesCache.class)); } - @VisibleForTesting - WebPagesFilter(WebPagesCache webPagesCache) { + @VisibleForTesting WebPagesFilter(WebPagesCache webPagesCache) { this.webPagesCache = webPagesCache; } diff --git a/sonar-plugin-api-impl/src/main/java/org/sonar/api/impl/ws/StaticResources.java b/sonar-plugin-api-impl/src/main/java/org/sonar/api/impl/ws/StaticResources.java new file mode 100644 index 00000000000..30c98254bb9 --- /dev/null +++ b/sonar-plugin-api-impl/src/main/java/org/sonar/api/impl/ws/StaticResources.java @@ -0,0 +1,37 @@ +/* + * SonarQube + * Copyright (C) 2009-2023 SonarSource SA + * mailto:info AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ +package org.sonar.api.impl.ws; + +import java.util.Collection; +import java.util.List; + +public class StaticResources { + private static final Collection STATIC_RESOURCES = List.of("*.css", "*.css.map", "*.ico", "*.png", + "*.jpg", "*.jpeg", "*.gif", "*.svg", "*.js", "*.js.map", "*.pdf", "/json/*", "*.woff2", "/static/*", + "/robots.txt", "/favicon.ico", "/apple-touch-icon*", "/mstile*"); + + private StaticResources() { + // only static + } + + public static Collection patterns() { + return STATIC_RESOURCES; + } +} diff --git a/sonar-plugin-api-impl/src/test/java/org/sonar/api/impl/ws/StaticResourcesTest.java b/sonar-plugin-api-impl/src/test/java/org/sonar/api/impl/ws/StaticResourcesTest.java new file mode 100644 index 00000000000..5a9e483b5ca --- /dev/null +++ b/sonar-plugin-api-impl/src/test/java/org/sonar/api/impl/ws/StaticResourcesTest.java @@ -0,0 +1,31 @@ +/* + * SonarQube + * Copyright (C) 2009-2023 SonarSource SA + * mailto:info AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ +package org.sonar.api.impl.ws; + +import org.junit.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +public class StaticResourcesTest { + @Test + public void patterns_shouldNotBeEmpty() { + assertThat(StaticResources.patterns()).isNotEmpty(); + } +} \ No newline at end of file -- 2.39.5