throws IllegalArgumentException when downloading file when filename includes '%' for undertow server

[aruanruan]

we map url: '/s/com-huawei-dcp-deploy-deploy-service/v1/api/file/download/main/os/mys/larg%25e_1.0.0.zip' to downloading the special file named 'larg%e_1.0.0.zip' ,
but it throws

java.lang.IllegalArgumentException: null
	at sun.net.www.ParseUtil.decode(Unknown Source)
	at java.net.JarURLConnection.parseSpecs(Unknown Source)
	at java.net.JarURLConnection.<init>(Unknown Source)
	at sun.net.www.protocol.jar.JarURLConnection.<init>(Unknown Source)
	at sun.net.www.protocol.jar.Handler.openConnection(Unknown Source)
	at java.net.URL.openConnection(Unknown Source)
	at io.undertow.server.handlers.resource.URLResource.openConnection(URLResource.java:86)
	at io.undertow.server.handlers.resource.URLResource.getContentLength(URLResource.java:273)

becuase '%25' is decode to '%', and URLResource use the path '/s/com-huawei-dcp-deploy-deploy-service/v1/api/file/download/main/os/mys/larg%e_1.0.0.zip', the class ParseUtils throws the IllegaglArgumentException when decoding '%e_'

bug is in the class org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory$MetaInfResourcesResourceManager

private URLResource getMetaInfResource(URL resourceJar, String path) {
			try {
				URL resourceUrl = new URL(resourceJar + "META-INF/resources" + path);
				URLResource resource = new URLResource(resourceUrl, path);
				if (resource.getContentLength() < 0) {
					return null;
				}
				return resource;
			}
			catch (MalformedURLException ex) {
				return null;
			}
		}

[wilkinsona]

Thanks for the report. Can you please provide a minimal sample that reproduces the problem?

[aruanruan]

any empty springboot (2.1.7.RELEASE) project using embed undertow server.
listen on 127.0.0.1: 8080
in chrome browser , use url 'http://127.0.0.1:8008/abc/def/%25_e.zip'

java.lang.IllegalArgumentException: null
        at sun.net.www.ParseUtil.decode(Unknown Source)
        at java.net.JarURLConnection.parseSpecs(Unknown Source)
        at java.net.JarURLConnection.<init>(Unknown Source)
        at sun.net.www.protocol.jar.JarURLConnection.<init>(Unknown Source)
        at sun.net.www.protocol.jar.Handler.openConnection(Unknown Source)
        at java.net.URL.openConnection(Unknown Source)
        at io.undertow.server.handlers.resource.URLResource.openConnection(URLResource.java:86)
        at io.undertow.server.handlers.resource.URLResource.getContentLength(URLResource.java:273)
        at org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory$MetaInfResourcesResourceManager.getMetaInfResource(UndertowServletWebServerFactory.java:572)
        at org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory$MetaInfResourcesResourceManager.getResource(UndertowServletWebServerFactory.java:546)
        at org.springframework.boot.web.embedded.undertow.CompositeResourceManager.getResource(CompositeResourceManager.java:51)
        at io.undertow.servlet.handlers.ServletPathMatches.getServletHandlerByPath(ServletPathMatches.java:96)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:146)
        at io.undertow.server.handlers.HttpContinueReadHandler.handleRequest(HttpContinueReadHandler.java:65)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
        at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:255)
        at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:136)
        at io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:162)
        at io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:100)
        at io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:57)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
        at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:129)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:582)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:466)
 

if i modify URLResource getMetaInfResource(URL resourceJar, String path) into:

private URLResource getMetaInfResource(URL resourceJar, String path) {
			try {
                               // replace % to url safe
				if(path.indexOf('%') >= 0) {
					path = path.replace("%", "%25");
				}
                                // end 
				URL resourceUrl = new URL(resourceJar + "META-INF/resources" + path);
				URLResource resource = new URLResource(resourceUrl, path);
				if (resource.getContentLength() < 0) {
					return null;
				}
				return resource;
			}
			catch (MalformedURLException ex) {
				return null;
			}
		}

compile & run,
chrome browser shows:

Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.

Wed Aug 14 15:35:07 CST 2019
There was an unexpected error (type=Not Found, status=404).
Not Found

it is ok.

[wilkinsona]

Thanks for the additional details. I cannot reproduce the problem with an empty app that uses Undertow. As far as I can tell, for the problem to occur, there must be at least one jar on the classpath that contains a META-INF/resources/ directory. Can you please confirm?

I'm not sure that we can fix this by solely replacing % with %25. There are other characters that may appear in the path that should really be escaped when being used in a URL.

[aruanruan]

when i add springfox's swagger2 to project, it happens:

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.springframework</groupId>
    <artifactId>gs-spring-boot</artifactId>
    <version>0.1.0</version>

	<dependencyManagement>
		<dependencies>
			<dependency>
				<!-- Import dependency management from Spring Boot -->
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-dependencies</artifactId>
				<version>2.1.7.RELEASE</version>
				<type>pom</type>
				<scope>import</scope>
				
			</dependency>
			
		</dependencies>
	</dependencyManagement>
	 

    <dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
			<exclusions>
				<exclusion>
                   <groupId>org.springframework.boot</groupId>
                   <artifactId>spring-boot-starter-tomcat</artifactId>
                </exclusion>
            </exclusions>
		</dependency>
		<dependency>
		   <groupId>org.springframework.boot</groupId>
		   <artifactId>spring-boot-starter-undertow</artifactId>
		</dependency>
		<dependency>
		   <groupId>io.undertow</groupId>
		   <artifactId>undertow-core</artifactId>
		   </dependency>
		<dependency>
		   <groupId>io.undertow</groupId>
		   <artifactId>undertow-servlet</artifactId>
		</dependency>
		<dependency>
			<groupId>io.swagger</groupId>
			<artifactId>swagger-models</artifactId>
			<version>1.5.20</version>
		</dependency>
		<dependency>
			<groupId>io.swagger</groupId>
			<artifactId>swagger-annotations</artifactId>
			<version>1.5.20</version>
		</dependency>
		<dependency>
			<groupId>io.springfox</groupId>
			<artifactId>springfox-core</artifactId>
			<version>2.9.2</version>
		</dependency>
		<dependency>
			<groupId>io.springfox</groupId>
			<artifactId>springfox-swagger-common</artifactId>
			<version>2.9.2</version>
		</dependency>
		<dependency>
			<groupId>io.springfox</groupId>
			<artifactId>springfox-swagger2</artifactId>
			<version>2.9.2</version>
		</dependency>
		<dependency>
			<groupId>io.springfox</groupId>
			<artifactId>springfox-swagger-ui</artifactId>
			<version>2.9.2</version>
		</dependency>
		<dependency>
			<groupId>io.springfox</groupId>
			<artifactId>springfox-spring-web</artifactId>
			<version>2.9.2</version>
		</dependency>
    </dependencies>

    <properties>
        <java.version>1.8</java.version>
    </properties>


    <build>
		<sourceDirectory>src/main/java</sourceDirectory>
		<testSourceDirectory>src/test/java</testSourceDirectory>
		<outputDirectory>target/classes</outputDirectory>
		<testOutputDirectory>target/test-classes</testOutputDirectory>
		<resources>
			<resource>
				<directory>src/main/resources</directory>
			</resource>
		</resources>
		<testResources>
			<testResource>
				<directory>src/test/resources</directory>
			</testResource>
		</testResources>
		<directory>./target</directory>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
            <plugin>
				<artifactId>maven-compiler-plugin</artifactId>
				<version>2.3.2</version>
				<executions>
					<execution>
						<id>default-compile</id>
						<phase>compile</phase>
						<goals>
							<goal>compile</goal>
						</goals>
						<configuration>
							<source>1.8</source>
							<target>1.8</target>
							<encoding>UTF-8</encoding>
							<compilerArgs>
								<arg>-parameters</arg>
							</compilerArgs>
						</configuration>
					</execution>
					<execution>
						<id>default-testCompile</id>
						<phase>test-compile</phase>
						<goals>
							<goal>testCompile</goal>
						</goals>
						<configuration>
							<source>1.8</source>
							<target>1.8</target>
							<encoding>UTF-8</encoding>
						</configuration>
					</execution>
				</executions>
				<configuration>
					<source>1.8</source>
					<target>1.8</target>
					<encoding>UTF-8</encoding>
				</configuration>
			</plugin>
        </plugins>
    </build>

</project>

only two source file: /src/main/java:

Application.java:

package test;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class Application {

	public static void main(String[] args) throws MalformedURLException {
		SpringApplication.run(Application.class, args);
	}
}

HelloController.java:

package test;

import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.RequestMapping;

@RestController
public class HelloController {

    @RequestMapping("/")
    public String index() {
        return "Greetings from Spring Boot!";
    }
}

[philwebb]

@aruanruan You you please share a complete project either as a GitHub project that we can clone or an attached zip file. It's then easier for us to make sure we are talking about the same thing.

[marcusportmann]

Thanks for the additional details. I cannot reproduce the problem with an empty app that uses Undertow. As far as I can tell, for the problem to occur, there must be at least one jar on the classpath that contains a META-INF/resources/ directory. Can you please confirm?

I'm not sure that we can fix this by solely replacing % with %25. There are other characters that may appear in the path that should really be escaped when being used in a URL.

I am experiencing the same issue when I have a '%' character that is correctly encoded in a URL for a Rest controller e.g. http://localhost:8080/api/configuration/configurations/A%25T.

I also have the springfox-swagger-ui dependency on my classpath.

By the time the path is passed to the getMetaInfResource() method on the UndertowServletWebServerFactory class the '%25' has already been decoded as '%', which results in an invalid resource URL being constructed that cannot be parse correctly by the JarURLConnection class.

private URLResource getMetaInfResource(URL resourceJar, String path) {
			try {
				URL resourceUrl = new URL(resourceJar + "META-INF/resources" + path);
				URLResource resource = new URLResource(resourceUrl, path);
				if (resource.getContentLength() < 0) {
					return null;
				}
				return resource;
			}
			catch (MalformedURLException ex) {
				return null;
			}
		}

	}

The stack trace I get is as follows:

          at sun.net.www.ParseUtil.unescape(ParseUtil.java:162)
	  at sun.net.www.ParseUtil.decode(ParseUtil.java:198)
	  at java.net.JarURLConnection.parseSpecs(JarURLConnection.java:189)
	  at java.net.JarURLConnection.<init>(JarURLConnection.java:158)
	  at sun.net.www.protocol.jar.JarURLConnection.<init>(JarURLConnection.java:81)
	  at sun.net.www.protocol.jar.Handler.openConnection(Handler.java:41)
	  at java.net.URL.openConnection(URL.java:1051)
	  at io.undertow.server.handlers.resource.URLResource.openConnection(URLResource.java:86)
	  at io.undertow.server.handlers.resource.URLResource.getContentLength(URLResource.java:273)
	  at org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory$MetaInfResourcesResourceManager.getMetaInfResource(UndertowServletWebServerFactory.java:565)
	  at org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory$MetaInfResourcesResourceManager.getResource(UndertowServletWebServerFactory.java:539)
	  at org.springframework.boot.web.embedded.undertow.CompositeResourceManager.getResource(CompositeResourceManager.java:51)
	  at io.undertow.servlet.handlers.ServletPathMatches.getServletHandlerByPath(ServletPathMatches.java:96)
	  at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:151)
	  at io.undertow.server.handlers.HttpContinueReadHandler.handleRequest(HttpContinueReadHandler.java:65)
	  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
	  at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:255)
	  at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:136)
	  at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:59)
	  at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	  at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	  at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
	  at org.xnio.nio.WorkerThread.run(WorkerThread.java:561)

[philwebb]

@marcusportmann Do you have a sample application that you can share? We're still ideally looking for something that we can clone and run.