Merge branch 'release/2.0.1'

Author: infeo

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>webdav-nio-adapter</artifactId>
-	<version>2.0.0</version>
+	<version>2.0.1</version>
 	<name>WebDAV-NIO Adapter</name>
 	<description>Embedded Jetty serving a WebDAV servlet to access resources at a given NIO path.</description>
 	<url>https://github.com/cryptomator/webdav-nio-adapter</url>
@@ -21,7 +21,7 @@
 		<!-- dependencies -->
 		<integrations-api.version>1.2.0</integrations-api.version>
 		<webdavservlet.version>1.2.3</webdavservlet.version>
-		<jetty.version>10.0.13</jetty.version>
+		<jetty.version>10.0.14</jetty.version>
 		<slf4j.version>2.0.6</slf4j.version>
 
 		<!-- test dependencies -->

src/main/java/org/cryptomator/frontend/webdav/ContextPathRegistry.java

@@ -0,0 +1,8 @@
+package org.cryptomator.frontend.webdav;
+
+public interface ContextPathRegistry {
+
+	boolean add(String contextPath);
+	boolean remove(String contextPath);
+
+}

src/main/java/org/cryptomator/frontend/webdav/DefaultServlet.java

@@ -13,19 +13,20 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.util.Collection;
+import java.util.Collections;
+import java.util.Set;
 import java.util.function.Predicate;
 import java.util.regex.Pattern;
 
-class DefaultServlet extends HttpServlet {
+class DefaultServlet extends HttpServlet implements ContextPathRegistry {
 
 	private static final String METHOD_PROPFIND = "PROPFIND";
 	private static final int TARPIT_DELAY_MS = 5000;
 	private static final Pattern PATH_SEP_PATTERN = Pattern.compile("/");
-	private final Collection<String> contextPaths;
+	private final Set<String> synchronizedContextPaths;
 
-	public DefaultServlet(Collection<String> contextPaths) {
-		this.contextPaths = contextPaths;
+	public DefaultServlet(Set<String> contextPaths) {
+		this.synchronizedContextPaths = Collections.synchronizedSet(contextPaths);
 	}
 
 	@Override
@@ -78,7 +79,24 @@ protected void doPropfind(HttpServletRequest req, HttpServletResponse resp) thro
 	}
 
 	private boolean isRequestedResourcePathPartOfValidContextPath(String requestedResourcePath) {
-		return contextPaths.stream().anyMatch(cp -> isParentOrSamePath(cp, requestedResourcePath));
+		//required for synchronized collections, see https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/util/Collections.html#synchronizedSet(java.util.Set)
+		synchronized (synchronizedContextPaths) {
+			return synchronizedContextPaths.stream().anyMatch(cp -> isParentOrSamePath(cp, requestedResourcePath));
+		}
+	}
+
+	@Override
+	public boolean add(String contextPath) {
+		synchronized (synchronizedContextPaths) {
+			return synchronizedContextPaths.add(contextPath);
+		}
+	}
+
+	@Override
+	public boolean remove(String contextPath) {
+		synchronized (synchronizedContextPaths) {
+			return synchronizedContextPaths.remove(contextPath);
+		}
 	}
 
 	private boolean isParentOrSamePath(String path, String potentialParent) {

src/main/java/org/cryptomator/frontend/webdav/WebDavServer.java

@@ -33,12 +33,14 @@ public class WebDavServer {
 	private final ExecutorService executorService;
 	private final ServerConnector localConnector;
 	private final ContextHandlerCollection servletCollectionCtx;
+	private final DefaultServlet defaultServlet;
 
-	WebDavServer(Server server, ExecutorService executorService, ServerConnector connector, ContextHandlerCollection servletCollectionCtx) {
+	WebDavServer(Server server, ExecutorService executorService, ServerConnector connector, ContextHandlerCollection servletCollectionCtx, DefaultServlet defaultServlet) {
 		this.server = server;
 		this.executorService = executorService;
 		this.localConnector = connector;
 		this.servletCollectionCtx = servletCollectionCtx;
+		this.defaultServlet = defaultServlet;
 	}
 
 	public static WebDavServer create(InetSocketAddress bindAddr) {
@@ -94,7 +96,7 @@ public synchronized void terminate() throws ServerLifecycleException {
 	 * @return The controller object for this new servlet
 	 */
 	public WebDavServletController createWebDavServlet(Path rootPath, String contextPath) {
-		return WebDavServletFactory.createServletController(rootPath, contextPath, localConnector, servletCollectionCtx);
+		return WebDavServletFactory.createServletController(rootPath, contextPath, localConnector, servletCollectionCtx, defaultServlet);
 	}
 
 }

src/main/java/org/cryptomator/frontend/webdav/WebDavServerFactory.java

@@ -101,7 +101,7 @@ public static WebDavServer createWebDavServer(InetSocketAddress bindAddr) {
 		var servletCollectionCtx = createContextHandlerCollection(defaultServletCtx);
 		var server = createServer(threadPool, servletCollectionCtx);
 		var serverConnector = createServerConnector(server, bindAddr);
-		return new WebDavServer(server, executorService, serverConnector, servletCollectionCtx);
+		return new WebDavServer(server, executorService, serverConnector, servletCollectionCtx, defaultServlet);
 	}
 
 }

src/main/java/org/cryptomator/frontend/webdav/servlet/WebDavServletController.java

@@ -1,5 +1,6 @@
 package org.cryptomator.frontend.webdav.servlet;
 
+import org.cryptomator.frontend.webdav.ContextPathRegistry;
 import org.cryptomator.frontend.webdav.ServerLifecycleException;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.handler.ContextHandlerCollection;
@@ -17,12 +18,14 @@ public class WebDavServletController {
 	private final ServletContextHandler contextHandler;
 	private final ContextHandlerCollection contextHandlerCollection;
 	private final ServerConnector connector;
+	private final ContextPathRegistry contextPathRegistry;
 	private final String contextPath;
 
-	WebDavServletController(ServletContextHandler contextHandler, ContextHandlerCollection contextHandlerCollection, ServerConnector connector, String contextPath) {
+	WebDavServletController(ServletContextHandler contextHandler, ContextHandlerCollection contextHandlerCollection, ServerConnector connector, ContextPathRegistry contextPathRegistry, String contextPath) {
 		this.contextHandler = contextHandler;
 		this.contextHandlerCollection = contextHandlerCollection;
 		this.connector = connector;
+		this.contextPathRegistry = contextPathRegistry;
 		this.contextPath = contextPath;
 	}
 
@@ -33,6 +36,7 @@ public class WebDavServletController {
 	 */
 	public void start() throws ServerLifecycleException {
 		try {
+			contextPathRegistry.add(contextPath);
 			contextHandlerCollection.addHandler(contextHandler);
 			contextHandlerCollection.mapContexts();
 			contextHandler.start();
@@ -52,6 +56,7 @@ public void stop() throws ServerLifecycleException {
 			contextHandler.stop();
 			contextHandlerCollection.removeHandler(contextHandler);
 			contextHandlerCollection.mapContexts();
+			contextPathRegistry.remove(contextPath);
 			LOG.info("WebDavServlet stopped: " + contextPath);
 		} catch (Exception e) {
 			throw new ServerLifecycleException("Servlet couldn't be stopped", e);

src/main/java/org/cryptomator/frontend/webdav/servlet/WebDavServletFactory.java

@@ -8,6 +8,7 @@
  *******************************************************************************/
 package org.cryptomator.frontend.webdav.servlet;
 
+import org.cryptomator.frontend.webdav.ContextPathRegistry;
 import org.cryptomator.webdav.core.filters.*;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.handler.ContextHandlerCollection;
@@ -39,14 +40,14 @@ public static ServletContextHandler createServletContext(Path rootPath, String c
 		return servletContext;
 	}
 
-	public static WebDavServletController createServletController(Path rootPath, String untrimmedContextPath, ServerConnector serverConnector, ContextHandlerCollection contextHandlerCollection) {
+	public static WebDavServletController createServletController(Path rootPath, String untrimmedContextPath, ServerConnector serverConnector, ContextHandlerCollection contextHandlerCollection, ContextPathRegistry contextPathRegistry) {
 		var trimmedCtxPath = untrimmedContextPath;
 		while (trimmedCtxPath.endsWith("/")) {
 			trimmedCtxPath = trimmedCtxPath.substring(0, trimmedCtxPath.length() - 1);
 		}
 		String contextPath = trimmedCtxPath.startsWith("/") ? trimmedCtxPath : "/" + trimmedCtxPath;
 		ServletContextHandler contextHandler = createServletContext(rootPath, contextPath);
-		return new WebDavServletController(contextHandler, contextHandlerCollection, serverConnector, contextPath);
+		return new WebDavServletController(contextHandler, contextHandlerCollection, serverConnector, contextPathRegistry, contextPath);
 	}
 
 }

suppression.xml

@@ -21,5 +21,13 @@
 		<cpe>cpe:/a:cryptomator:cryptomator</cpe>
 		<cve>CVE-2022-25366</cve>
 	</suppress>
+	<suppress>
+		<notes><![CDATA[
+  		Suppress false positive, because com.google.common.io.Files.getTempDir() is not used
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+		<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
+		<cve>CVE-2020-8908</cve>
+	</suppress>
 
 </suppressions>