Tapestry
  1. Tapestry
  2. TAPESTRY-1915

AssetEncoder doesn't handle invalid paths missing a digest

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 4.1.1, 4.1.2, 4.1.3, 4.1.5
    • Fix Version/s: 4.1.6
    • Component/s: Framework
    • Labels:
      None

      Description

      AssetEncoder.decode() has this line:

      int slashx = pathInfo.indexOf('/', 1);

      but never checks for slashx == -1 before using it in:

      encoding.setParameterValue(AssetService.DIGEST, pathInfo.substring(1, slashx));

      which, if the URL didn't have another slash after "assets/", causes a StringIndexOutOfBoundsException at runtime. Some automated security testing tools flag the resulting stack trace in the response as a potential risk, and it just looks bad, even though the URL was not one generated by AssetEncoder, but one obviously manipulated manually somehow.

        Activity

        Hide
        Andreas Andreou added a comment -

        Yep - i see StringIndexOutOfBoundsException for urls such as /assets/anything_with_no_slash
        and NPE for url /assets/

        I'm just wondering how to handle those cases, because if we just return,
        the home service will eventually handle them!

        Perhaps set the digest and the path to empty string and go on with the asset service is the way to go

        Show
        Andreas Andreou added a comment - Yep - i see StringIndexOutOfBoundsException for urls such as /assets/anything_with_no_slash and NPE for url /assets/ I'm just wondering how to handle those cases, because if we just return, the home service will eventually handle them! Perhaps set the digest and the path to empty string and go on with the asset service is the way to go

          People

          • Assignee:
            Andreas Andreou
            Reporter:
            Greg Woolsey
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development