Protect against transitive additional meta-data

Update ConfigurationMetadataAnnotationProcessor to ensure that only local `additional-spring-configuration-metadata.json` files are merged with the final output. See gh-1830

Protect against transitive additional meta-data
Update ConfigurationMetadataAnnotationProcessor to ensure that only local `additional-spring-configuration-metadata.json` files are merged with the final output. See gh-1830
2696d370 · Phillip Webb · 7e5bb969 · 2696d370
Commit 2696d370 authored Nov 06, 2014 by Phillip Webb
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

ConfigurationMetadataAnnotationProcessor.java ...onprocessor/ConfigurationMetadataAnnotationProcessor.java +4 -0

No files found.
--- a/spring-boot-tools/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/ConfigurationMetadataAnnotationProcessor.java
+++ b/spring-boot-tools/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/ConfigurationMetadataAnnotationProcessor.java
@@ -275,6 +275,10 @@ public class ConfigurationMetadataAnnotationProcessor extends AbstractProcessor
 			FileObject manualMetadata = this.processingEnv.getFiler().getResource(
 					StandardLocation.CLASS_PATH, "",
 					"META-INF/additional-spring-configuration-metadata.json");
+			if (!"file".equals(manualMetadata.toUri().getScheme())) {
+				// We only wan't local files, not any classpath jars
+				return metadata;
+			}
 			InputStream inputStream = manualMetadata.openInputStream();
 			try {
 				ConfigurationMetadata merged = new ConfigurationMetadata(metadata);