Fixed: Prevent arbitrary file read/write in entityImport and entityExportAll

jacopoc · jacopoc · commit 3965d658f933 · 2026-05-04T13:14:36.000+02:00
Paths in both methods are now guarded by SecurityUtil.checkOfbizFileAllowList(), which restricts paths to the directories configured in content.data.ofbiz.file.allowed.paths (security.properties). (cherry picked from commit 15c1956)
diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -87,6 +87,7 @@
 import org.apache.ofbiz.entity.util.EntityUtilProperties;
 import org.apache.ofbiz.entityext.EntityGroupUtil;
 import org.apache.ofbiz.security.Security;
+import org.apache.ofbiz.security.SecurityUtil;
 import org.apache.ofbiz.service.DispatchContext;
 import org.apache.ofbiz.service.GenericServiceException;
 import org.apache.ofbiz.service.LocalDispatcher;
@@ -159,6 +160,11 @@ public static Map<String, Object> entityImport(DispatchContext dctx, Map<String,
                 return ServiceUtil.returnError(UtilProperties.getMessage(RESOURCE, "WebtoolsErrorReadingTemplateFile",
                         UtilMisc.toMap("filename", fmfilename, "errorString", "Template file not found."), locale));
             }
+            try {
+                SecurityUtil.checkOfbizFileAllowList(fmFile);
+            } catch (GeneralException e) {
+                return ServiceUtil.returnError(e.getMessage());
+            }
             try {
                 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
                 factory.setValidating(true);
@@ -515,6 +521,11 @@ public static Map<String, Object> entityExportAll(DispatchContext dctx, Map<Stri
 
         if (UtilValidate.isNotEmpty(outpath)) {
             File outdir = new File(outpath);
+            try {
+                SecurityUtil.checkOfbizFileAllowList(outdir);
+            } catch (GeneralException e) {
+                return ServiceUtil.returnError(e.getMessage());
+            }
             if (!outdir.exists()) {
                 outdir.mkdir();
             }
