Config files no longer loaded if they contain a hidden path element

[mwftapi]

Since upgrading from Spring Boot Version 2.3.4 to Spring Boot Version 2.3.5 a application no longer loads properties from property files that are located in config locations that contain a hidden path element.

This can be reproduced by setting the spring.config.additional-location to a location that contains a hidden path element as shown in the following snippet:

@SpringBootApplication
public class Application extends SpringBootServletInitializer {

  private static final String ADDITIONAL_CONFIG_LOCATION = "/additional/config/.location/";

  public static void main(String[] args) {
    configureApplication(new SpringApplicationBuilder()).run(args);
  }

  @Override
  protected SpringApplicationBuilder configure(
    SpringApplicationBuilder builder) {
    return configureApplication(builder);
  }

  private static SpringApplicationBuilder configureApplication(SpringApplicationBuilder builder) {
    return builder.sources(Application.class).properties(
      Map.of("spring.config.additional-location", ADDITIONAL_CONFIG_LOCATION)
    );
  }
}

As seen in the example code snippet the additional config location given contains a hidden path element, namely .location.

If we put a file named application-some-active-profile.yml into /additional/config/.location/ this file will not be loaded by the org/springframework/boot/context/config/ConfigFileApplicationListener.java upon start up when running with -Dspring.profiles.active=some-active-profile.

This is because of the check in Line 525 of the ConfigFileApplicationListener.

spring-boot/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/context/config/ConfigFileApplicationListener.java

Line 525 in d87c437

if (resource.isFile() && hasHiddenPathElement(resource)) {

This check will strip all path elements and check them for a starting .. Since the constructed resource path file:/application/config/.location/application-some-active-profile.yml contains the .location path element the resource will not be loaded.

spring-boot/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/context/config/ConfigFileApplicationListener.java

Line 572 in d87c437

if (value.toString().startsWith(".")) {

This change was introduced with the following commit.

This issue is reproducible with all config file types: properties, xml, yaml, yml.

This issue is not reproducible with Spring Boot Version 2.3.4.

[wilkinsona]

Sorry for the inconvenience, @mwftapi. Thank you for the detailed analysis of the problem.

[mwftapi]

Glad if I can help! Thank you for managing such an amazing framework! Keep up the good work! ❤️

[gbaso]

This also breaks applications packaged as war and deployed with Eclipse + Tomcat, since Eclipse uses the hidden folder <eclipse-workspace>/.metadata/.plugins/org.eclipse.wst.server.core/tmp0 as the default server path.

[wilkinsona]

From @bo0ts on #23160:

@wilkinsona We are using fully qualified paths to set our config locations, e.g. -Dspring.config.location=classpath:/,classpath:/config/,file:./,file:./config/,/config/config1/..2020_10_27_21_10_29.547134956/application.properties,/config/config2/..2020_10_27_21_10_30.275048764/secret.properties,/config/config3/..2020_10_27_21_10_29.797568129/application.properties. (We collect those files with find . -type f ...)

This change breaks loading our configs and #23983 does nothing to alleviate this. I don't think skipping explicitly defined absolute paths to config files is the intention.

I wonder if we can restrict ignoring .. prefixed path elements to the wildcard case?