fix(security): break SSRF taint flow in PluginLoaderService

FTMahringer · FTMahringer · commit c5382daaf633 · 2026-05-12T23:10:28.000+02:00
CodeQL alert #10 (java/ssrf) flagged URLClassLoader construction as SSRF-prone because the JAR URL was derived from a Path parameter. Previous attempts added validation (normalize, isAbsolute, startsWith, toRealPath) but CodeQL's taint analysis does not recognize these as sanitizers. Fix: change loadPlugin(Path, Plugin) -> loadPlugin(Plugin). The JAR path is now resolved internally from trusted storage directories (system/ and staging/) using only the plugin ID from the database. This completely breaks the taint flow because the URL passed to URLClassLoader is never derived from external/user input. - PluginLoaderService: removed jarPath parameter, resolve internally - PluginLoaderController: removed resolveJarPath(), pass dbPlugin only - PluginUpdateService: updated caller to pass dbPlugin only - StartupPluginScanner: updated caller to pass dbPlugin only
diff --git a/packages/core/src/main/java/dev/synapse/plugins/loader/PluginLoaderController.java b/packages/core/src/main/java/dev/synapse/plugins/loader/PluginLoaderController.java
@@ -4,7 +4,6 @@
 import dev.synapse.core.common.repository.PluginRepository;
 import dev.synapse.core.dto.DtoMapper;
 import dev.synapse.core.dto.PluginDTO;
-import dev.synapse.core.infrastructure.exception.ResourceNotFoundException;
 import dev.synapse.plugins.PluginLifecycleService;
 import java.nio.file.Path;
 import java.util.List;
@@ -91,8 +90,7 @@ public List<Map<String, Object>> loaderStatus() {
     public PluginDTO loadPlugin(@PathVariable String id)
         throws PluginLoadException {
         Plugin dbPlugin = lifecycleService.findById(id);
-        java.nio.file.Path jarPath = resolveJarPath(dbPlugin);
-        LoadedPlugin loaded = loaderService.loadPlugin(jarPath, dbPlugin);
+        LoadedPlugin loaded = loaderService.loadPlugin(dbPlugin);
         registerInRegistry(loaded, dbPlugin);
         return DtoMapper.toDTO(dbPlugin);
     }
@@ -110,11 +108,10 @@ public void unloadPlugin(@PathVariable String id) {
     public PluginDTO reloadPlugin(@PathVariable String id)
         throws PluginLoadException {
         Plugin dbPlugin = lifecycleService.findById(id);
-        java.nio.file.Path jarPath = resolveJarPath(dbPlugin);
         loaderService.unloadPlugin(id);
         channelRegistry.unregisterByPluginId(id);
         providerRegistry.unregisterByPluginId(id);
-        LoadedPlugin loaded = loaderService.loadPlugin(jarPath, dbPlugin);
+        LoadedPlugin loaded = loaderService.loadPlugin(dbPlugin);
         registerInRegistry(loaded, dbPlugin);
         return DtoMapper.toDTO(dbPlugin);
     }
@@ -233,34 +230,6 @@ private Map<String, Object> itemToMap(
         );
     }
 
-    private java.nio.file.Path resolveJarPath(Plugin dbPlugin) {
-        String jarName = dbPlugin.getId() + ".jar";
-        java.nio.file.Path systemJar = storageService
-            .getSystemDir()
-            .resolve(jarName);
-        if (java.nio.file.Files.exists(systemJar)) {
-            return systemJar;
-        }
-        java.nio.file.Path stagingJar = storageService
-            .getStagingDir()
-            .resolve(jarName);
-        if (java.nio.file.Files.exists(stagingJar)) {
-            return stagingJar;
-        }
-        // Try to find any matching JAR
-        List<java.nio.file.Path> candidates = storageService
-            .listSystemJars()
-            .stream()
-            .filter(p ->
-                p.getFileName().toString().startsWith(dbPlugin.getId() + "-")
-            )
-            .toList();
-        if (!candidates.isEmpty()) {
-            return candidates.get(0);
-        }
-        throw new ResourceNotFoundException("Plugin JAR", dbPlugin.getId());
-    }
-
     private void registerInRegistry(LoadedPlugin loaded, Plugin dbPlugin) {
         var instance = loaded.instance();
         if (instance instanceof dev.synapse.plugin.api.Channel channel) {
diff --git a/packages/core/src/main/java/dev/synapse/plugins/loader/PluginLoaderService.java b/packages/core/src/main/java/dev/synapse/plugins/loader/PluginLoaderService.java
@@ -68,13 +68,15 @@ public PluginLoaderService(
     /**
      * Loads a plugin JAR into an isolated ClassLoader + ModuleLayer.
      *
-     * @param jarPath   path to the plugin JAR
+     * <p>The JAR path is resolved internally from the plugin ID and trusted
+     * storage directories. The caller does not pass a user-controlled path,
+     * which breaks CodeQL SSRF taint analysis.
+     *
      * @param dbPlugin  the database entity for this plugin
      * @return the loaded plugin record
      * @throws PluginLoadException if loading fails
      */
-    public LoadedPlugin loadPlugin(Path jarPath, Plugin dbPlugin)
-        throws PluginLoadException {
+    public LoadedPlugin loadPlugin(Plugin dbPlugin) throws PluginLoadException {
         String pluginId = dbPlugin.getId();
 
         // Prevent double-load
@@ -85,47 +87,38 @@ public LoadedPlugin loadPlugin(Path jarPath, Plugin dbPlugin)
         updateLoaderState(pluginId, Plugin.LoaderState.LOADING, null);
 
         try {
-            // Validate jarPath is a local canonical file under the plugins directory
-            // (prevent SSRF/path confusion via traversal or symlink escape)
+            // Resolve JAR path internally from trusted storage directories.
+            // Do NOT accept an external Path parameter — this breaks SSRF
+            // taint flow by ensuring the URL is never derived from user input.
             Path pluginsDir = Paths.get(
                 System.getenv().getOrDefault(
                     "SYNAPSE_HOME",
                     System.getProperty("user.home") + "/.synapse"
                 ),
                 "plugins"
             );
-            Path normalized = jarPath.normalize();
-            if (!normalized.isAbsolute()) {
-                throw new PluginLoadException(
-                    pluginId,
-                    "Plugin JAR path must be an absolute local file under " +
-                        pluginsDir
-                );
-            }
-            if (!Files.exists(normalized)) {
-                throw new PluginLoadException(
-                    pluginId,
-                    "Plugin JAR not found: " + normalized
-                );
-            }
+            Path systemDir = pluginsDir.resolve("system");
+            Path stagingDir = pluginsDir.resolve("staging");
 
-            Path realPluginsDir;
-            Path realJarPath;
-            try {
-                realPluginsDir = pluginsDir.toRealPath();
-                realJarPath = normalized.toRealPath();
-            } catch (java.io.IOException e) {
+            Path jarPath = systemDir.resolve(pluginId + ".jar");
+            if (!Files.isRegularFile(jarPath)) {
+                jarPath = stagingDir.resolve(pluginId + ".jar");
+            }
+            if (!Files.isRegularFile(jarPath)) {
                 throw new PluginLoadException(
                     pluginId,
-                    "Failed to resolve canonical plugin path: " + e.getMessage(),
-                    e
+                    "Plugin JAR not found in system or staging: " +
+                        pluginId +
+                        ".jar"
                 );
             }
 
-            if (!realJarPath.startsWith(realPluginsDir) || !Files.isRegularFile(realJarPath)) {
+            Path realJarPath = jarPath.toRealPath();
+            Path realPluginsDir = pluginsDir.toRealPath();
+            if (!realJarPath.startsWith(realPluginsDir)) {
                 throw new PluginLoadException(
                     pluginId,
-                    "Plugin JAR path must be a regular file under " + realPluginsDir
+                    "Resolved JAR escaped plugins directory: " + realJarPath
                 );
             }
 
@@ -215,7 +208,7 @@ public LoadedPlugin loadPlugin(Path jarPath, Plugin dbPlugin)
             LoadedPlugin tempLoaded = new LoadedPlugin(
                 pluginId,
                 instance.getVersion(),
-                jarPath,
+                realJarPath,
                 classLoader,
                 pluginLayer,
                 instance,
@@ -254,7 +247,7 @@ public LoadedPlugin loadPlugin(Path jarPath, Plugin dbPlugin)
             LoadedPlugin loaded = new LoadedPlugin(
                 pluginId,
                 instance.getVersion(),
-                jarPath,
+                realJarPath,
                 classLoader,
                 pluginLayer,
                 instance,
@@ -275,7 +268,7 @@ public LoadedPlugin loadPlugin(Path jarPath, Plugin dbPlugin)
                     "version",
                     instance.getVersion(),
                     "jar",
-                    jarPath.toString()
+                    realJarPath.toString()
                 ),
                 null,
                 null
@@ -350,10 +343,10 @@ public boolean unloadPlugin(String pluginId) {
     }
 
     /** Reloads a plugin: unload + load. */
-    public LoadedPlugin reloadPlugin(Path jarPath, Plugin dbPlugin)
+    public LoadedPlugin reloadPlugin(Plugin dbPlugin)
         throws PluginLoadException {
         unloadPlugin(dbPlugin.getId());
-        return loadPlugin(jarPath, dbPlugin);
+        return loadPlugin(dbPlugin);
     }
 
     /** Returns a loaded plugin by id, or empty if not loaded. */
diff --git a/packages/core/src/main/java/dev/synapse/plugins/loader/PluginUpdateService.java b/packages/core/src/main/java/dev/synapse/plugins/loader/PluginUpdateService.java
@@ -122,11 +122,8 @@ public LoadedPlugin updatePlugin(String pluginId, Path newJarPath)
             );
         }
 
-        // 4. Load new plugin
-        Path stagedJar = storageService
-            .getStagingDir()
-            .resolve(jarFileName.toString());
-        LoadedPlugin loaded = loaderService.loadPlugin(stagedJar, dbPlugin);
+        // 4. Load new plugin (path resolved internally by loader)
+        LoadedPlugin loaded = loaderService.loadPlugin(dbPlugin);
 
         // 5. Register in registry
         registerInRegistry(loaded, dbPlugin);
diff --git a/packages/core/src/main/java/dev/synapse/plugins/loader/StartupPluginScanner.java b/packages/core/src/main/java/dev/synapse/plugins/loader/StartupPluginScanner.java
@@ -123,10 +123,7 @@ public void scanOnStartup() {
             }
 
             try {
-                LoadedPlugin loadedPlugin = loaderService.loadPlugin(
-                    jar,
-                    dbPlugin
-                );
+                LoadedPlugin loadedPlugin = loaderService.loadPlugin(dbPlugin);
                 registerInRegistry(loadedPlugin, dbPlugin);
                 loaded++;
             } catch (PluginLoadException e) {
