Skip to content

Commit ac525a0

Browse files
labkey-jeckelslabkey-jeckels
authored
Include /.well-known/security.txt (#7361)
1 parent a810fb8 commit ac525a0

4 files changed

Lines changed: 31 additions & 32 deletions

File tree

api/src/org/labkey/api/query/QueryChangeListener.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -144,7 +144,7 @@ public static void handleQueryNameChange(@NotNull String oldValue, String newVal
144144
if (oldValue.equals(newValue))
145145
return;
146146

147-
QueryChangeListener.QueryPropertyChange change = new QueryChangeListener.QueryPropertyChange<>(
147+
QueryChangeListener.QueryPropertyChange<?> change = new QueryChangeListener.QueryPropertyChange<>(
148148
QueryService.get().getUserSchema(user, container, schemaPath).getQueryDefForTable(newValue),
149149
QueryChangeListener.QueryProperty.Name,
150150
oldValue,
@@ -160,7 +160,7 @@ public static void handleSchemaNameChange(@NotNull String oldValue, String newVa
160160
if (oldValue.equals(newValue))
161161
return;
162162

163-
QueryChangeListener.QueryPropertyChange change = new QueryChangeListener.QueryPropertyChange<>(
163+
QueryChangeListener.QueryPropertyChange<?> change = new QueryChangeListener.QueryPropertyChange<>(
164164
null,
165165
QueryChangeListener.QueryProperty.SchemaName,
166166
oldValue,

core/src/org/labkey/core/security/BlockListFilter.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -180,7 +180,7 @@ public static boolean isSuspicious(String request_path, String query, String use
180180
return true;
181181
for (String part : path)
182182
{
183-
if (part.startsWith(".") || part.startsWith("\">") || part.startsWith("wp-") || (part.startsWith("admin")&&!isActionURL))
183+
if ((part.startsWith(".") && !part.equals(".well-known")) || part.startsWith("\">") || part.startsWith("wp-") || (part.startsWith("admin")&&!isActionURL))
184184
return true;
185185
if (part.endsWith("-inf"))
186186
return true;

core/src/org/labkey/core/webdav/ModuleStaticResolverImpl.java

Lines changed: 23 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
import org.labkey.api.cache.Cache;
2525
import org.labkey.api.cache.CacheListener;
2626
import org.labkey.api.cache.CacheManager;
27+
import org.labkey.api.collections.CaseInsensitiveHashSet;
2728
import org.labkey.api.collections.CaseInsensitiveTreeMap;
2829
import org.labkey.api.files.FileSystemDirectoryListener;
2930
import org.labkey.api.files.FileSystemWatcher;
@@ -57,12 +58,14 @@
5758
import java.io.InputStream;
5859
import java.nio.file.WatchEvent;
5960
import java.util.ArrayList;
61+
import java.util.Arrays;
6062
import java.util.Collection;
6163
import java.util.Collections;
6264
import java.util.HashMap;
6365
import java.util.HashSet;
6466
import java.util.List;
6567
import java.util.Map;
68+
import java.util.Set;
6669
import java.util.concurrent.TimeUnit;
6770
import java.util.concurrent.atomic.AtomicBoolean;
6871

@@ -181,16 +184,15 @@ private LookupResult resolve(Path path)
181184
for (int i=0 ; i<path.size() ; i++)
182185
{
183186
Path.Part p = path.getPart(i);
184-
if (null == p || p.toString().equalsIgnoreCase("META-INF") || p.toString().equalsIgnoreCase("WEB-INF") || p.toString().startsWith("."))
187+
if (null == p || !isAllowableName(p.toString()))
185188
return null;
186189
r = r.find(p);
187190
if (null == r)
188191
return null;
189-
if (r instanceof SymbolicLink)
192+
if (r instanceof SymbolicLink symbolicLink)
190193
{
191194
Path remainder = path.subpath(i+1,path.getNameCount());
192-
LookupResult result = ((SymbolicLink)r).lookupEx(remainder);
193-
return result;
195+
return symbolicLink.lookupEx(remainder);
194196
}
195197
}
196198
return new LookupResult(this,r);
@@ -292,12 +294,7 @@ public void addLink(@NotNull Path from, @NotNull Path target, String indexPage)
292294

293295
synchronized (shortcuts)
294296
{
295-
Map<String,Pair<Path,String>> map = shortcuts.get(rParent.getPath());
296-
if (null == map)
297-
{
298-
map = new HashMap<>();
299-
shortcuts.put(rParent.getPath(), map);
300-
}
297+
Map<String, Pair<Path, String>> map = shortcuts.computeIfAbsent(rParent.getPath(), k -> new HashMap<>());
301298
map.put(from.getName(), new Pair<>(target,indexPage));
302299
}
303300

@@ -387,6 +384,15 @@ public boolean shouldIndex()
387384
}
388385
}
389386

387+
private static final Set<String> ALLOWED_DOT_NAMES = Collections.unmodifiableSet(new CaseInsensitiveHashSet(Arrays.asList(".well-known")));
388+
389+
private boolean isAllowableName(String name)
390+
{
391+
return !"WEB-INF".equalsIgnoreCase(name) &&
392+
!"META-INF".equalsIgnoreCase(name) &&
393+
(!name.startsWith(".") || ALLOWED_DOT_NAMES.contains(name));
394+
}
395+
390396
private static final Cache<Path, Map<String, WebdavResource>> CHILDREN_CACHE = CacheManager.getCache(1000, CacheManager.DAY, "Static resources");
391397

392398
private class StaticResource extends _PublicResource implements SupportsFileSystemWatcher
@@ -419,18 +425,6 @@ public String getExecuteHref(ViewContext context)
419425
return PageFlowUtil.staticResourceUrl(getPath().encode());
420426
}
421427

422-
@Override
423-
public WebdavResolver getResolver()
424-
{
425-
return ModuleStaticResolverImpl.this;
426-
}
427-
428-
@Override
429-
public boolean canList(User user, boolean forRead)
430-
{
431-
return true;
432-
}
433-
434428
Map<String,WebdavResource> getChildren()
435429
{
436430
synchronized (_lock)
@@ -447,7 +441,7 @@ Map<String,WebdavResource> getChildren()
447441
for (FileLike fo : files)
448442
{
449443
String name = fo.getName();
450-
if (name.startsWith(".") || name.equals("WEB-INF") || name.equals("META-INF"))
444+
if (!isAllowableName(name))
451445
continue;
452446
if (!map.containsKey(name))
453447
map.put(name, new ArrayList<>());
@@ -459,7 +453,7 @@ Map<String,WebdavResource> getChildren()
459453
{
460454
Path path = getPath().append(e.getKey());
461455
List<FileLike> alternates = e.getValue();
462-
if (alternates.get(0).isFile())
456+
if (alternates.getFirst().isFile())
463457
children.put(e.getKey(), new StaticResource(this, path, alternates.subList(0,1), null));
464458
else
465459
children.put(e.getKey(), new StaticResource(this, path, e.getValue(), null));
@@ -518,7 +512,7 @@ public File getFile()
518512
{
519513
if (!exists())
520514
return null;
521-
return _files.get(0).toNioPathForRead().toFile();
515+
return _files.getFirst().toNioPathForRead().toFile();
522516
}
523517

524518
@Override
@@ -537,7 +531,7 @@ public boolean exists()
537531
@Override
538532
public boolean isCollection()
539533
{
540-
return exists() && _files.get(0).isDirectory();
534+
return exists() && _files.getFirst().isDirectory();
541535
}
542536

543537
@Override
@@ -549,7 +543,7 @@ public WebdavResource find(Path.Part name)
549543
@Override
550544
public boolean isFile()
551545
{
552-
return exists() && _files.get(0).isFile();
546+
return exists() && _files.getFirst().isFile();
553547
}
554548

555549
@Override
@@ -572,7 +566,7 @@ public long getLastModified()
572566
public InputStream getInputStream(User user) throws IOException
573567
{
574568
if (isFile())
575-
return _files.get(0).openInputStream();
569+
return _files.getFirst().openInputStream();
576570
return null;
577571
}
578572

@@ -586,7 +580,7 @@ public long copyFrom(User user, FileStream in)
586580
public long getContentLength()
587581
{
588582
if (isFile())
589-
return _files.get(0).getSize();
583+
return _files.getFirst().getSize();
590584
return 0;
591585
}
592586

core/webapp/.well-known/security.txt

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
Contact: https://www.labkey.com/about/contact-us/
2+
Expires: 2030-01-01T00:00:00.000Z
3+
Preferred-Languages: en
4+
Policy: https://www.labkey.org/Documentation/wiki-page.view?name=securityFixEvaluation
5+
Acknowledgements: https://www.labkey.org/Documentation/wiki-page.view?name=securityFixEvaluation

0 commit comments

Comments
 (0)