Fixed: [codeQL] Resolving specific Java issues (OFBIZ-12925)

This concerns a possible server-side request forgery reported by CodeQL <<To fix the SSRF vulnerability, we need to ensure that the URL being used in the readXmlDocument method is validated and restricted to a set of allowed URLs or domains. This can be achieved by maintaining a whitelist of allowed URLs or domains and checking the user-provided URL against this list before proceeding with the request.>> Fortunately we already have and can use the host-headers-allowed property in security.properties. Here is the fix. Conflict handled by hand
apache · Feb 24, 2025 · 40a2856 · 40a2856
1 parent 355543e
commit 40a2856
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
@@ -403,9 +403,12 @@ public static Document readXmlDocument(URL url, boolean validate)
 
     public static Document readXmlDocument(URL url, boolean validate, boolean withPosition)
             throws SAXException, ParserConfigurationException, java.io.IOException {
-        if (url == null) {
-            Debug.logWarning("[UtilXml.readXmlDocument] URL was null, doing nothing", module);
-            return null;
+
+        if (!hostHeadersAllowed.contains(url.getHost())) {
+            Debug.logWarning("Domain " + url.getHost() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.", MODULE);
+            throw new IOException("Domain " + url.getHost() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.");
         }
         InputStream is = url.openStream();
         Document document = readXmlDocument(is, validate, url.toString(), withPosition);