Make ApplicationContext inaccessible in ServerWebExchange (#6679)

#### What type of PR is this? /kind improvement /area core /area plugin /milestone 2.20.x #### What this PR does / why we need it: Plugins can implement their own RouterFunctions and ControllerMappings, but those might expose root ApplicationContext for plugins, which is not expected. So this PR fixes the insecure access to root ApplicationContext. #### Does this PR introduce a user-facing change? ```release-note None ```
2024-09-20 11:16:59 +08:00 · 2024-09-20 11:16:59 +08:00 · df195b12f2
parent a87dedd916
commit df195b12f2
6 changed files with 103 additions and 2 deletions
--- a/application/src/main/java/run/halo/app/config/WebFluxConfig.java
+++ b/application/src/main/java/run/halo/app/config/WebFluxConfig.java
@ -12,6 +12,7 @@ import java.util.List;
 import java.util.Objects;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.web.WebProperties;
 import org.springframework.boot.autoconfigure.web.reactive.WebFluxRegistrations;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@ -33,6 +34,7 @@ import org.springframework.web.reactive.function.server.RouterFunction;
 import org.springframework.web.reactive.function.server.ServerResponse;
 import org.springframework.web.reactive.resource.EncodedResourceResolver;
 import org.springframework.web.reactive.resource.PathResourceResolver;
 import org.springframework.web.reactive.result.method.annotation.RequestMappingHandlerAdapter;
 import org.springframework.web.reactive.result.view.ViewResolutionResultHandler;
 import org.springframework.web.reactive.result.view.ViewResolver;
 import reactor.core.publisher.Mono;
@ -41,6 +43,7 @@ import run.halo.app.console.WebSocketRequestPredicate;
 import run.halo.app.core.endpoint.WebSocketHandlerMapping;
 import run.halo.app.core.extension.endpoint.CustomEndpoint;
 import run.halo.app.core.extension.endpoint.CustomEndpointsBuilder;
 import run.halo.app.infra.SecureRequestMappingHandlerAdapter;
 import run.halo.app.infra.properties.AttachmentProperties;
 import run.halo.app.infra.properties.HaloProperties;
 import run.halo.app.plugin.extensionpoint.ExtensionGetter;
@ -67,6 +70,19 @@ public class WebFluxConfig implements WebFluxConfigurer {
        this.applicationContext = applicationContext;
    }
    @Bean
    WebFluxRegistrations webFluxRegistrations() {
        return new WebFluxRegistrations() {
            @Override
            public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() {
                // Because we have no chance to customize ServerWebExchangeMethodArgumentResolver,
                // we have to use SecureRequestMappingHandlerAdapter to replace a secure
                // ServerWebExchange.
                return new SecureRequestMappingHandlerAdapter();
            }
        };
    }
    @Bean
    ServerResponse.Context context(CodecConfigurer codec,
        ViewResolutionResultHandler resultHandler) {
--- a/application/src/main/java/run/halo/app/infra/SecureRequestMappingHandlerAdapter.java
+++ b/application/src/main/java/run/halo/app/infra/SecureRequestMappingHandlerAdapter.java
@ -0,0 +1,26 @@
 package run.halo.app.infra;
 import org.springframework.lang.NonNull;
 import org.springframework.web.reactive.HandlerResult;
 import org.springframework.web.reactive.result.method.annotation.RequestMappingHandlerAdapter;
 import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Mono;
 /**
 * Secure request mapping handler adapter.
 *
 * @author johnniang
 * @since 2.20.0
 */
 public class SecureRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {
    @Override
    @NonNull
    public Mono<HandlerResult> handle(
        @NonNull ServerWebExchange exchange,
        @NonNull Object handler
    ) {
        return super.handle(new SecureServerWebExchange(exchange), handler);
    }
 }
--- a/application/src/main/java/run/halo/app/infra/SecureServerRequest.java
+++ b/application/src/main/java/run/halo/app/infra/SecureServerRequest.java
@ -0,0 +1,31 @@
 package run.halo.app.infra;
 import org.springframework.lang.NonNull;
 import org.springframework.web.reactive.function.server.ServerRequest;
 import org.springframework.web.reactive.function.server.support.ServerRequestWrapper;
 import org.springframework.web.server.ServerWebExchange;
 /**
 * Secure server request without application context available.
 *
 * @author johnniang
 * @since 2.20.0
 */
 public class SecureServerRequest extends ServerRequestWrapper {
    /**
     * Create a new {@code ServerRequestWrapper} that wraps the given request.
     *
     * @param delegate the request to wrap
     */
    public SecureServerRequest(ServerRequest delegate) {
        super(delegate);
    }
    @Override
    @NonNull
    public ServerWebExchange exchange() {
        return new SecureServerWebExchange(super.exchange());
    }
 }
--- a/application/src/main/java/run/halo/app/infra/SecureServerWebExchange.java
+++ b/application/src/main/java/run/halo/app/infra/SecureServerWebExchange.java
@ -0,0 +1,25 @@
 package run.halo.app.infra;
 import org.springframework.context.ApplicationContext;
 import org.springframework.web.server.ServerWebExchange;
 import org.springframework.web.server.ServerWebExchangeDecorator;
 /**
 * Secure server web exchange without application context available.
 *
 * @author johnniang
 * @since 2.20.0
 */
 public class SecureServerWebExchange extends ServerWebExchangeDecorator {
    public SecureServerWebExchange(ServerWebExchange delegate) {
        super(delegate);
    }
    @Override
    public ApplicationContext getApplicationContext() {
        // Always return null to prevent access to application context
        return null;
    }
 }
--- a/application/src/main/java/run/halo/app/plugin/AggregatedRouterFunction.java
+++ b/application/src/main/java/run/halo/app/plugin/AggregatedRouterFunction.java
@ -9,6 +9,7 @@ import org.springframework.web.reactive.function.server.ServerResponse;
 import reactor.core.publisher.Mono;
 import run.halo.app.core.extension.endpoint.CustomEndpoint;
 import run.halo.app.core.extension.endpoint.CustomEndpointsBuilder;
 import run.halo.app.infra.SecureServerRequest;
 /**
 * Aggregated router function built from all custom endpoints.
@ -28,7 +29,7 @@ public class AggregatedRouterFunction implements RouterFunction<ServerResponse>
    @Override
    public Mono<HandlerFunction<ServerResponse>> route(ServerRequest request) {
-        return aggregated.route(request);
+        return aggregated.route(new SecureServerRequest(request));
    }
    @Override
--- a/application/src/main/java/run/halo/app/plugin/DefaultPluginRouterFunctionRegistry.java
+++ b/application/src/main/java/run/halo/app/plugin/DefaultPluginRouterFunctionRegistry.java
@ -11,6 +11,7 @@ import org.springframework.web.reactive.function.server.ServerRequest;
 import org.springframework.web.reactive.function.server.ServerResponse;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 import run.halo.app.infra.SecureServerRequest;
 /**
 * A composite {@link RouterFunction} implementation for plugin.
@ -31,8 +32,9 @@ public class DefaultPluginRouterFunctionRegistry
    @Override
    @NonNull
    public Mono<HandlerFunction<ServerResponse>> route(@NonNull ServerRequest request) {
        var secureRequest = new SecureServerRequest(request);
        return Flux.fromIterable(this.routerFunctions)
-            .concatMap(routerFunction -> routerFunction.route(request))
+            .concatMap(routerFunction -> routerFunction.route(secureRequest))
            .next();
    }