Describe the bug Using relative path in seachLocations for native profile of Config server:
spring:
profiles: native
cloud:
config:
server:
native:
searchLocations: ../../config/localhost
Everything seems fine - get properties works correctly: GET https://localhost:8888/config/app-name/default ..returns correctly properties. See log:
[nio-8888-exec-5] o.s.c.c.s.e.NativeEnvironmentRepository : [] Adding property source: file:../../config/localhost/application.properties
But when trying to obtain any other resource file, we got validation error from GenericResourceRepository: GET https://localhost:8888/config/app-name/default/default/some-file.xml
[nio-8888-exec-9] o.s.c.c.s.r.GenericResourceRepository : [] Location contains ".."
I assume this is a buggy behaviour - Eighter path should be normalized (canonical path) before full path is constructed with reuest file or only requested part of path should be checked.
Comment From: spencergibb
This was added to not allow certain kinds of vulnerabilities. We should either document the limitation or add an option to convert to absolute paths