(ofbiz-framework) branch release18.12 updated: Fixed: [codeQL] Resolving specific Java issues (OFBIZ-12925)

Mon, 24 Feb 2025 00:30:52 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 40a2856238 Fixed: [codeQL]  Resolving specific Java issues 
(OFBIZ-12925)
40a2856238 is described below

commit 40a285623824ecac3a8fa3b77a9c87663969024b
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Feb 24 08:31:53 2025 +0100

    Fixed: [codeQL]  Resolving specific Java issues (OFBIZ-12925)
    
    This concerns a possible server-side request forgery reported by CodeQL
    <<To fix the SSRF vulnerability, we need to ensure that the URL being used 
in
    the readXmlDocument method is validated and restricted to a set of allowed 
URLs
    or domains. This can be achieved by maintaining a whitelist of allowed URLs 
or
    domains and checking the user-provided URL against this list before 
proceeding
    with the request.>>
    
    Fortunately we already have and can use the host-headers-allowed property in
    security.properties. Here is the fix.
    
    Conflict handled by hand
---
 .../base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java   | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
index 097c6ed16a..22ed7a5a5a 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
@@ -403,9 +403,12 @@ public final class UtilXml {
 
     public static Document readXmlDocument(URL url, boolean validate, boolean 
withPosition)
             throws SAXException, ParserConfigurationException, 
java.io.IOException {
-        if (url == null) {
-            Debug.logWarning("[UtilXml.readXmlDocument] URL was null, doing 
nothing", module);
-            return null;
+
+        if (!hostHeadersAllowed.contains(url.getHost())) {
+            Debug.logWarning("Domain " + url.getHost() + " not accepted to 
prevent host header injection."
+                    + " You need to set host-headers-allowed property in 
security.properties file.", MODULE);
+            throw new IOException("Domain " + url.getHost() + " not accepted 
to prevent host header injection."
+                    + " You need to set host-headers-allowed property in 
security.properties file.");
         }
         InputStream is = url.openStream();
         Document document = readXmlDocument(is, validate, url.toString(), 
withPosition);

Reply via email to