This is an automated email from the ASF dual-hosted git repository.
deepak pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 28f5f87ec9 Improved: Added validation to screen/script URI to block
URL patterns. Throw an error if the script location contains a URL.
(OFBIZ-13132)
28f5f87ec9 is described below
commit 28f5f87ec9fcdd8517583de519d3133e8f1c08db
Author: Deepak Dixit <dee...@apache.org>
AuthorDate: Fri Aug 30 00:12:48 2024 +0530
Improved: Added validation to screen/script URI to block URL patterns.
Throw an error if the script location contains a URL. (OFBIZ-13132)
---
.../base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java | 2 +-
.../base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java | 6 ++++++
.../src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java | 2 +-
3 files changed, 8 insertions(+), 2 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java
index bda591f94f..c1a57f0160 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java
@@ -142,7 +142,7 @@ public final class GroovyUtil {
Class<?> scriptClass = PARSED_SCRIPTS.get(location);
if (scriptClass == null) {
URL scriptUrl = FlexibleLocation.resolveLocation(location);
- if (scriptUrl == null) {
+ if (scriptUrl == null ||
UtilValidate.urlInString(scriptUrl.toString())) {
throw new GeneralException("Script not found at location
[" + location + "]");
}
scriptClass = parseClass(scriptUrl.openStream(), location);
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
index bab90b8f5b..cb673e0c30 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
@@ -125,6 +125,9 @@ public final class ScriptUtil {
try {
Compilable compilableEngine = (Compilable) engine;
URL scriptUrl = FlexibleLocation.resolveLocation(filePath);
+ if (scriptUrl == null ||
UtilValidate.urlInString(scriptUrl.toString())) {
+ throw new ScriptException("Script not found at location ["
+ filePath + "]");
+ }
BufferedReader reader = new BufferedReader(new
InputStreamReader(scriptUrl.openStream(), StandardCharsets.UTF_8));
script = compilableEngine.compile(reader);
if (Debug.verboseOn()) {
@@ -354,6 +357,9 @@ public final class ScriptUtil {
}
engine.setContext(scriptContext);
URL scriptUrl = FlexibleLocation.resolveLocation(filePath);
+ if (scriptUrl == null ||
UtilValidate.urlInString(scriptUrl.toString())) {
+ throw new ScriptException("Script not found at location [" +
filePath + "]");
+ }
try (
InputStreamReader reader = new InputStreamReader(new
FileInputStream(scriptUrl.getFile()), StandardCharsets.UTF_8);) {
Object result = engine.eval(reader);
diff --git
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java
index 74bf41d7b4..7da6260139 100644
---
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java
+++
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java
@@ -121,7 +121,7 @@ public class ScreenFactory {
long startTime = System.currentTimeMillis();
URL screenFileUrl = null;
screenFileUrl =
FlexibleLocation.resolveLocation(resourceName);
- if (screenFileUrl == null) {
+ if (screenFileUrl == null ||
UtilValidate.urlInString(screenFileUrl.toString())) {
throw new IllegalArgumentException("Could not resolve
location to URL: " + resourceName);
}
Document screenFileDoc =
UtilXml.readXmlDocument(screenFileUrl, true, true);
