Fixed: Prevent redirect bypass in renderDataResourceAsText URL_RESOURCE path

jacopoc · jacopoc · commit fee4d08f5337 · 2026-05-04T13:14:36.000+02:00
renderDataResourceAsText() validated the initial URL via checkUrlResourceAllowed() but then fetched it with url.openStream(), which follows HTTP redirects by default. The fix aligns this code path with the already-hardened getDataResourceStream() path: open a URLConnection, disable redirect following with setInstanceFollowRedirects(false), reject any 3xx response, and apply the same configurable connect/read timeouts and response-size cap (BoundedInputStream) used elsewhere. (cherry picked from commit a8d0eba)
diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java
@@ -1078,12 +1078,33 @@ public static void writeDataResourceText(GenericValue dataResource, String mimeT
 
             if (url.getHost() != null) { // is absolute
                 checkUrlResourceAllowed(url);
-                int c;
-                try (InputStream in = url.openStream(); StringWriter sw = new StringWriter()) {
-                    while ((c = in.read()) != -1) {
-                        sw.write(c);
+                int connectTimeout = (int) UtilProperties.getPropertyNumber("security",
+                        "content.data.url.resource.connect.timeout", 10000.0);
+                int readTimeout = (int) UtilProperties.getPropertyNumber("security",
+                        "content.data.url.resource.read.timeout", 30000.0);
+                long maxResponseSize = (long) UtilProperties.getPropertyNumber("security",
+                        "content.data.url.resource.max.response.size", (double) (10L * 1024 * 1024));
+                URLConnection con = url.openConnection();
+                con.setConnectTimeout(connectTimeout);
+                con.setReadTimeout(readTimeout);
+                // Disable automatic redirect-following to prevent SSRF bypass via redirect to private addresses
+                if (con instanceof HttpURLConnection) ((HttpURLConnection) con).setInstanceFollowRedirects(false);
+                con.connect();
+                // Reject redirects outright; we cannot safely re-validate an arbitrary Location header
+                if (con instanceof HttpURLConnection) {
+                    HttpURLConnection httpCon = (HttpURLConnection) con;
+                    int responseCode = httpCon.getResponseCode();
+                    if (responseCode >= 300 && responseCode < 400) {
+                        httpCon.disconnect();
+                        throw new GeneralException("URL_RESOURCE request returned a redirect (" + responseCode
+                                + "); redirects are not followed for security reasons");
                     }
-                    text = sw.toString();
+                }
+                try (InputStream limitedIn = BoundedInputStream.builder()
+                        .setInputStream(con.getInputStream())
+                        .setMaxCount(maxResponseSize)
+                        .get()) {
+                    text = IOUtils.toString(limitedIn, StandardCharsets.UTF_8);
                 }
             } else {
                 String prefix = DataResourceWorker.buildRequestPrefix(delegator, locale, webSiteId, https);
