Merge pull request #1 from FTMahringer/alert-autofix-10

FTMahringer · web-flow · commit 14d653b7bc19 · 2026-05-12T22:30:40.000+02:00
Potential fix for code scanning alert no. 10: Server-side request forgery
diff --git a/packages/core/src/main/java/dev/synapse/plugins/loader/PluginLoaderController.java b/packages/core/src/main/java/dev/synapse/plugins/loader/PluginLoaderController.java
@@ -179,7 +179,21 @@ public PluginDTO updatePlugin(
         if (jarPath == null || jarPath.isBlank()) {
             throw new IllegalArgumentException("jarPath is required");
         }
-        LoadedPlugin loaded = updateService.updatePlugin(id, Path.of(jarPath));
+        String trimmed = jarPath.trim();
+        if (
+            trimmed.contains("..") ||
+            trimmed.contains("/") ||
+            trimmed.contains("\\") ||
+            !trimmed.endsWith(".jar")
+        ) {
+            throw new IllegalArgumentException(
+                "jarPath must be a safe .jar filename"
+            );
+        }
+        LoadedPlugin loaded = updateService.updatePlugin(
+            id,
+            Path.of(trimmed).getFileName()
+        );
         Plugin dbPlugin = lifecycleService.findById(id);
         return DtoMapper.toDTO(dbPlugin);
     }
diff --git a/packages/core/src/main/java/dev/synapse/plugins/loader/PluginLoaderService.java b/packages/core/src/main/java/dev/synapse/plugins/loader/PluginLoaderService.java
@@ -15,7 +15,9 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLClassLoader;
+import java.nio.file.Files;
 import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.time.Instant;
 import java.util.*;
 import java.util.concurrent.ConcurrentHashMap;
@@ -83,53 +85,57 @@ public LoadedPlugin loadPlugin(Path jarPath, Plugin dbPlugin)
         updateLoaderState(pluginId, Plugin.LoaderState.LOADING, null);
 
         try {
-            // Validate jarPath is a local file under the plugins directory
-            // (prevent SSRF via external URLs and path traversal)
-            Path normalized = jarPath.normalize();
-            Path pluginsDir = Path.of(
+            // Validate jarPath is a local canonical file under the plugins directory
+            // (prevent SSRF/path confusion via traversal or symlink escape)
+            Path pluginsDir = Paths.get(
                 System.getenv().getOrDefault(
                     "SYNAPSE_HOME",
                     System.getProperty("user.home") + "/.synapse"
                 ),
                 "plugins"
-            ).normalize();
-            if (
-                !normalized.isAbsolute() || !normalized.startsWith(pluginsDir)
-            ) {
+            );
+            Path normalized = jarPath.normalize();
+            if (!normalized.isAbsolute()) {
                 throw new PluginLoadException(
                     pluginId,
                     "Plugin JAR path must be an absolute local file under " +
                         pluginsDir
                 );
             }
-            if (!java.nio.file.Files.exists(normalized)) {
+            if (!Files.exists(normalized)) {
                 throw new PluginLoadException(
                     pluginId,
                     "Plugin JAR not found: " + normalized
                 );
             }
 
-            // Build file:// URL directly from validated local path.
-            // CodeQL flags toUri().toURL() as SSRF-prone, so we construct
-            // the URL string manually from the already-validated path.
-            String absolutePath = normalized.toAbsolutePath().toString();
-            String fileUrl = "file://" + absolutePath.replace('\\', '/');
+            Path realPluginsDir;
+            Path realJarPath;
+            try {
+                realPluginsDir = pluginsDir.toRealPath();
+                realJarPath = normalized.toRealPath();
+            } catch (java.io.IOException e) {
+                throw new PluginLoadException(
+                    pluginId,
+                    "Failed to resolve canonical plugin path: " + e.getMessage(),
+                    e
+                );
+            }
 
-            // Validate the URL string starts with file:// before creating URL
-            if (!fileUrl.startsWith("file://")) {
+            if (!realJarPath.startsWith(realPluginsDir) || !Files.isRegularFile(realJarPath)) {
                 throw new PluginLoadException(
                     pluginId,
-                    "Plugin JAR URL must start with file://"
+                    "Plugin JAR path must be a regular file under " + realPluginsDir
                 );
             }
 
             URL jarUrl;
             try {
-                jarUrl = new URL(fileUrl);
+                jarUrl = realJarPath.toUri().toURL();
             } catch (MalformedURLException e) {
                 throw new PluginLoadException(
                     pluginId,
-                    "Invalid JAR URL: " + fileUrl
+                    "Invalid JAR URL: " + realJarPath
                 );
             }
 
@@ -140,7 +146,7 @@ public LoadedPlugin loadPlugin(Path jarPath, Plugin dbPlugin)
             );
 
             // Layer 2: Create JPMS ModuleLayer
-            ModuleFinder pluginFinder = ModuleFinder.of(normalized);
+            ModuleFinder pluginFinder = ModuleFinder.of(realJarPath);
             Set<ModuleDescriptor> descriptors = pluginFinder
                 .findAll()
                 .stream()
diff --git a/packages/core/src/main/java/dev/synapse/plugins/loader/PluginUpdateService.java b/packages/core/src/main/java/dev/synapse/plugins/loader/PluginUpdateService.java
@@ -61,6 +61,13 @@ public PluginUpdateService(
      */
     public LoadedPlugin updatePlugin(String pluginId, Path newJarPath)
         throws PluginLoadException {
+        Path jarFileName = newJarPath.getFileName();
+        if (jarFileName == null || !jarFileName.equals(newJarPath)) {
+            throw new PluginLoadException(
+                pluginId,
+                "Invalid JAR path: only a file name is allowed"
+            );
+        }
         Plugin dbPlugin = pluginRepository
             .findById(pluginId)
             .orElseThrow(() ->
@@ -106,7 +113,7 @@ public LoadedPlugin updatePlugin(String pluginId, Path newJarPath)
 
         // 3. Stage new JAR
         try {
-            storageService.stageJar(newJarPath);
+            storageService.stageJar(jarFileName);
         } catch (Exception e) {
             throw new PluginLoadException(
                 pluginId,
@@ -118,15 +125,15 @@ public LoadedPlugin updatePlugin(String pluginId, Path newJarPath)
         // 4. Load new plugin
         Path stagedJar = storageService
             .getStagingDir()
-            .resolve(newJarPath.getFileName().toString());
+            .resolve(jarFileName.toString());
         LoadedPlugin loaded = loaderService.loadPlugin(stagedJar, dbPlugin);
 
         // 5. Register in registry
         registerInRegistry(loaded, dbPlugin);
 
         // 6. Promote to system
         try {
-            storageService.promoteToSystem(newJarPath.getFileName().toString());
+            storageService.promoteToSystem(jarFileName.toString());
         } catch (java.io.IOException e) {
             throw new PluginLoadException(
                 pluginId,
