Describe the bug Using relative path in seachLocations for native profile of Config server:


spring:
  profiles: native
  cloud:
    config:
      server:
        native:
          searchLocations: ../../config/localhost

Everything seems fine - get properties works correctly: GET https://localhost:8888/config/app-name/default ..returns correctly properties. See log:

[nio-8888-exec-5] o.s.c.c.s.e.NativeEnvironmentRepository  : [] Adding property source: file:../../config/localhost/application.properties

But when trying to obtain any other resource file, we got validation error from GenericResourceRepository: GET https://localhost:8888/config/app-name/default/default/some-file.xml

[nio-8888-exec-9] o.s.c.c.s.r.GenericResourceRepository    : [] Location contains ".."

I assume this is a buggy behaviour - Eighter path should be normalized (canonical path) before full path is constructed with reuest file or only requested part of path should be checked.

Comment From: spencergibb

This was added to not allow certain kinds of vulnerabilities. We should either document the limitation or add an option to convert to absolute paths