(axis-axis2-java-core) 03/03: Fix getXMLSchema() resolver: check original loc, not resolved URI

[robertlazarski]

This is an automated email from the ASF dual-hosted git repository.

robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git

commit d1672a510e7858a2f25913252d9b1fab24a7c0a0
Author: Robert Lazarski <robertlazar...@gmail.com>
AuthorDate: Tue May 19 04:21:34 2026 -1000

    Fix getXMLSchema() resolver: check original loc, not resolved URI
    
    The allowlist approach was blocking resolved file:// URIs that came
    from relative schemaLocation paths (e.g., "wsat.xsd" resolved against
    a file:// base URI produces file:///path/to/wsat.xsd which is absolute).
    Relative paths are safe regardless of what they resolve to — they
    reference co-packaged schemas. Only block absolute schemaLocation
    values in the original loc parameter.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <nore...@anthropic.com>
---
 .../description/WSDLToAxisServiceBuilder.java      | 23 +++++++---------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git 
a/modules/kernel/src/org/apache/axis2/description/WSDLToAxisServiceBuilder.java 
b/modules/kernel/src/org/apache/axis2/description/WSDLToAxisServiceBuilder.java
index cc38f14f87..560f4ea544 100644
--- 
a/modules/kernel/src/org/apache/axis2/description/WSDLToAxisServiceBuilder.java
+++ 
b/modules/kernel/src/org/apache/axis2/description/WSDLToAxisServiceBuilder.java
@@ -154,26 +154,17 @@ public abstract class WSDLToAxisServiceBuilder {
                             delegate = new 
org.apache.ws.commons.schema.resolver.DefaultURIResolver();
                     public org.xml.sax.InputSource resolveEntity(
                             String ns, String loc, String base) {
-                        // Allowlist: only permit relative paths resolved
-                        // against the base URI. Block all absolute URIs
-                        // (http, https, ftp, file, jar, etc.) to prevent
-                        // both SSRF and LFI. Co-packaged schemas in .aar
-                        // deployments use relative paths and are safe.
+                        // Block absolute schemaLocation URIs to prevent
+                        // SSRF and LFI. Relative paths (e.g., "wsat.xsd")
+                        // are safe — they resolve against the local base
+                        // URI of the WSDL document.
                         if (loc != null) {
-                            String resolved = loc;
-                            if (base != null) {
-                                try {
-                                    resolved = java.net.URI.create(base)
-                                            .resolve(loc).toString();
-                                } catch (IllegalArgumentException ignored) {
-                                }
-                            }
                             try {
-                                java.net.URI uri = new java.net.URI(resolved);
-                                if (uri.isAbsolute()) {
+                                java.net.URI locUri = new java.net.URI(loc);
+                                if (locUri.isAbsolute()) {
                                     throw new RuntimeException(
                                         "Absolute schemaLocation blocked: "
-                                        + resolved + " (use setCustomResolver"
+                                        + loc + " (use setCustomResolver"
                                         + " to opt in)");
                                 }
                             } catch (java.net.URISyntaxException ignored) {