Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change DefaultFiles/DirectoryBrowser/StaticFileMiddleware to only no-op if there's an active endpoint with a non-null RequestDelegate #42413

Closed
DamianEdwards opened this issue Jun 24, 2022 · 10 comments · Fixed by #42458
Assignees
Labels
area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlesware breaking-change This issue / pr will introduce a breaking change, when resolved / merged. feature-static-files
Milestone

Comments

@DamianEdwards
Copy link
Member

DamianEdwards commented Jun 24, 2022

The DefaultFilesMiddleware, DirectoryBrowserMiddleware, and StaticFileMiddleware currently no-op (fall through to the next middleware in the pipeline) if they detect the request has an active endpoint (see code here).

This prevents the middleware from running even in cases where there's an endpoint with a null RequestDelegate. This prevents the ability to have an active endpoint for the purposes of communicating metadata to middleware while allowing middleware like the StaticFileMiddleware to keep performing its function, e.g. have a "dummy" endpoint to carry IAuthorizeData metadata so that the AuthorizationMiddleware performs authorization on a request before the StaticFileMiddleware runs (example here).

We should consider updating the check in these middleware to instead only no-op if the active endpoint's request delegate is null, i.e.:

// Return true because we only want to run if there is no endpoint request delegate.
private static bool ValidateNoEndpointRequestDelegate(HttpContext context) => context.GetEndpoint()?.RequestDelegate == null;

If there are other middleware with similar behavior we should consider updating those in a similar fashion.

DamianEdwards added a commit to DamianEdwards/AspNetCorePathAuthorization that referenced this issue Jun 24, 2022
@DamianEdwards DamianEdwards changed the title Change StaticFileMiddleware to only no-op if there's an active endpoint with a non-null RequestDelegate Change DefaultFiles/DirectoryBrowser/StaticFileMiddleware to only no-op if there's an active endpoint with a non-null RequestDelegate Jun 24, 2022
@DamianEdwards
Copy link
Member Author

@Tratcher @davidfowl @JamesNK any thoughts if this would cause any issues?

@Tratcher
Copy link
Member

Could RequestDelegate ever be null before?

@DamianEdwards
Copy link
Member Author

Endpoint.RequestDelegate is marked as nullable, so yes?

@Tratcher
Copy link
Member

Sure, but in practice where there any situations where it was null that we would now handle differently?

@DamianEdwards
Copy link
Member Author

Not that I'm aware of, but that's impossible to prove absolutely. Is your question basically "Are there cases where the middleware would now start handling the request where before it didn't?"

@Tratcher
Copy link
Member

Right. If a null RequestDelegate was common for some situation before, those requests could now collide with StaticFiles. If this wasn't a pattern we saw in use before then the change is harmless.

@DamianEdwards
Copy link
Member Author

I'll let the others chime in on that then, given I only found out today that Endpoint.RequestDelegate could even be null 😃

@davidfowl
Copy link
Member

I am supportive of this change. It opens up something we're trying to do with endpoints and policies. An endpoint without a request delegate is pretty rare which is why I feel comfortable taking this one. It is a breaking change though, so maybe its worth documenting anyways.

@davidfowl davidfowl added the breaking-change This issue / pr will introduce a breaking change, when resolved / merged. label Jun 25, 2022
@DamianEdwards
Copy link
Member Author

Do we feel it warrants an appcontext switch (I'm guessing... no)?

@wtgodbe
Copy link
Member

wtgodbe commented Jun 27, 2022

Do we feel it warrants an appcontext switch (I'm guessing... no)?

Triage - we don't think it needs one. If we can get this in for preview7 without breaking anybody, we say go ahead

@wtgodbe wtgodbe added this to the 7.0-preview7 milestone Jun 27, 2022
DamianEdwards added a commit that referenced this issue Jun 28, 2022
…est delegate (#42458)

* Allow file middlewares to run if there's an endpoint with a null request delegate #42413

* Ensure EndpointMiddleware checks AuthZ/CORS metadata even if endpoint.RequestDelegate is null

* Update null equality check to use "is"

* Added tests for StaticFileMiddleware changes

* Add tests for DefaultFiles/DirectoryBrowser middleware

* Add endpoint middleware test
@ghost ghost locked as resolved and limited conversation to collaborators Jul 28, 2022
@amcasey amcasey added area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlesware and removed area-runtime labels Jun 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlesware breaking-change This issue / pr will introduce a breaking change, when resolved / merged. feature-static-files
Projects
None yet
5 participants