Fix for #981, patch 2 (#988)

Author: perwendel

src/main/java/spark/resource/ClassPathResource.java

@@ -23,6 +23,7 @@
 
 import spark.utils.Assert;
 import spark.utils.ClassUtils;
+import spark.utils.ResourceUtils;
 import spark.utils.StringUtils;
 
 /**
@@ -74,7 +75,7 @@ public ClassPathResource(String path) {
      */
     public ClassPathResource(String path, ClassLoader classLoader) {
         Assert.notNull(path, "Path must not be null");
-        Assert.state(doesNotContainFileColon(path), "Path must not contain 'file:'");
+        Assert.isTrue(isValid(path), "Path is not valid");
 
         String pathToUse = StringUtils.cleanPath(path);
 
@@ -86,8 +87,27 @@ public ClassPathResource(String path, ClassLoader classLoader) {
         this.classLoader = (classLoader != null ? classLoader : ClassUtils.getDefaultClassLoader());
     }
 
-    private static boolean doesNotContainFileColon(String path) {
-        return !path.contains("file:");
+    private static boolean isValid(final String path) {
+        return !isInvalidPath(path);
+    }
+
+    private static boolean isInvalidPath(String path) {
+        if (path.contains("WEB-INF") || path.contains("META-INF")) {
+            return true;
+        }
+        if (path.contains(":/")) {
+            String relativePath = (path.charAt(0) == '/' ? path.substring(1) : path);
+            if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith("url:")) {
+                return true;
+            }
+        }
+        if (path.contains("")) {
+            path = StringUtils.cleanPath(path);
+            if (path.contains("../")) {
+                return true;
+            }
+        }
+        return false;
     }
 
     /**
@@ -236,8 +256,8 @@ public boolean equals(Object obj) {
             ClassLoader otherLoader = otherRes.classLoader;
 
             return (this.path.equals(otherRes.path) &&
-                thisLoader.equals(otherLoader) &&
-                this.clazz.equals(otherRes.clazz));
+                    thisLoader.equals(otherLoader) &&
+                    this.clazz.equals(otherRes.clazz));
         }
         return false;
     }

src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java

@@ -4,13 +4,19 @@
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.junit.After;
 import org.junit.Test;
+
 import spark.embeddedserver.EmbeddedServer;
 import spark.route.Routes;
 import spark.staticfiles.StaticFilesConfiguration;
 
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
 
 public class EmbeddedJettyFactoryTest {
+
     private EmbeddedServer embeddedServer;
 
     @Test
@@ -19,14 +25,14 @@ public void create() throws Exception {
         final StaticFilesConfiguration staticFilesConfiguration = mock(StaticFilesConfiguration.class);
         final Routes routes = mock(Routes.class);
 
-        when(jettyServerFactory.create(100,10,10000)).thenReturn(new Server());
+        when(jettyServerFactory.create(100, 10, 10000)).thenReturn(new Server());
 
         final EmbeddedJettyFactory embeddedJettyFactory = new EmbeddedJettyFactory(jettyServerFactory);
         embeddedServer = embeddedJettyFactory.create(routes, staticFilesConfiguration, false);
 
-        embeddedServer.ignite("localhost", 8080, null, 100,10,10000);
+        embeddedServer.ignite("localhost", 6757, null, 100, 10, 10000);
 
-        verify(jettyServerFactory, times(1)).create(100,10,10000);
+        verify(jettyServerFactory, times(1)).create(100, 10, 10000);
         verifyNoMoreInteractions(jettyServerFactory);
     }
 
@@ -42,7 +48,7 @@ public void create_withThreadPool() throws Exception {
         final EmbeddedJettyFactory embeddedJettyFactory = new EmbeddedJettyFactory(jettyServerFactory).withThreadPool(threadPool);
         embeddedServer = embeddedJettyFactory.create(routes, staticFilesConfiguration, false);
 
-        embeddedServer.ignite("localhost", 8080, null, 0,0,0);
+        embeddedServer.ignite("localhost", 6758, null, 0, 0, 0);
 
         verify(jettyServerFactory, times(1)).create(threadPool);
         verifyNoMoreInteractions(jettyServerFactory);
@@ -54,19 +60,21 @@ public void create_withNullThreadPool() throws Exception {
         final StaticFilesConfiguration staticFilesConfiguration = mock(StaticFilesConfiguration.class);
         final Routes routes = mock(Routes.class);
 
-        when(jettyServerFactory.create(100,10,10000)).thenReturn(new Server());
+        when(jettyServerFactory.create(100, 10, 10000)).thenReturn(new Server());
 
         final EmbeddedJettyFactory embeddedJettyFactory = new EmbeddedJettyFactory(jettyServerFactory).withThreadPool(null);
         embeddedServer = embeddedJettyFactory.create(routes, staticFilesConfiguration, false);
 
-        embeddedServer.ignite("localhost", 8080, null, 100,10,10000);
+        embeddedServer.ignite("localhost", 6759, null, 100, 10, 10000);
 
-        verify(jettyServerFactory, times(1)).create(100,10,10000);
+        verify(jettyServerFactory, times(1)).create(100, 10, 10000);
         verifyNoMoreInteractions(jettyServerFactory);
     }
 
     @After
     public void tearDown() throws Exception {
-        if(embeddedServer != null) embeddedServer.extinguish();
+        if (embeddedServer != null) {
+            embeddedServer.extinguish();
+        }
     }
 }

src/test/java/spark/examples/staticresources/StaticResources.java

@@ -17,7 +17,7 @@
 package spark.examples.staticresources;
 
 import static spark.Spark.get;
-import static spark.Spark.staticFileLocation;
+import static spark.Spark.staticFiles;
 
 /**
  * Example showing how serve static resources.
@@ -27,7 +27,7 @@ public class StaticResources {
     public static void main(String[] args) {
 
         // Will serve all static file are under "/public" in classpath if the route isn't consumed by others routes.
-        staticFileLocation("/public");
+        staticFiles.location("/public");
 
         get("/hello", (request, response) -> {
             return "Hello World!";