Skip to content

Improved: Extend URL_RESOURCE validation to writeDataResourceText, completing the work of af8ee514a2#1031

Merged
jacopoc merged 1 commit into
apache:trunkfrom
Krishnauprit18:bug-improvement
Mar 26, 2026
Merged

Improved: Extend URL_RESOURCE validation to writeDataResourceText, completing the work of af8ee514a2#1031
jacopoc merged 1 commit into
apache:trunkfrom
Krishnauprit18:bug-improvement

Conversation

@Krishnauprit18

Copy link
Copy Markdown
Contributor

This PR is a completion of the improvements performed in a previous change in the commit af8ee51, related to data resource validation. This change extends the existing validation to writeDataResourceText, ensuring consistent URL_RESOURCE handling across both methods in DataResourceWorker.

Copilot AI review requested due to automatic review settings March 26, 2026 09:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR completes prior URL_RESOURCE hardening work by extending the existing URL_RESOURCE validation to the writeDataResourceText code path in DataResourceWorker, aiming for consistent handling across URL_RESOURCE consumers.

Changes:

  • Add a call to checkUrlResourceAllowed(url) before reading from an absolute URL in writeDataResourceText.
Comments suppressed due to low confidence (2)

applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java:1174

  • checkUrlResourceAllowed(url) is only applied when url.getHost() != null. In the relative-URL branch you build fixedUrl and fetch content without any SSRF validation, which makes URL_RESOURCE handling inconsistent with getDataResourceStream() and leaves a bypass path. Consider normalizing to a single final URL (convert relative to absolute first) and then calling checkUrlResourceAllowed() on that final URL before any network I/O.
            if (url.getHost() != null) { // is absolute
                checkUrlResourceAllowed(url);
                int c;
                try (InputStream in = url.openStream(); StringWriter sw = new StringWriter()) {
                    while ((c = in.read()) != -1) {
                        sw.write(c);
                    }
                    text = sw.toString();
                }
            } else {
                String prefix = DataResourceWorker.buildRequestPrefix(delegator, locale, webSiteId, https);
                String sep = "";
                if (url.toString().indexOf('/') != 0 && prefix.lastIndexOf('/') != (prefix.length() - 1)) {
                    sep = "/";
                }
                String fixedUrlStr = prefix + sep + url.toString();
                URL fixedUrl = UtilURL.fromUrlString(fixedUrlStr);
                text = (String) fixedUrl.getContent();

applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java:1164

  • This URL fetch path uses url.openStream() / fixedUrl.getContent() without connect/read timeouts, without disabling redirects, and without a maximum response size. That can lead to hangs and memory exhaustion (response is fully buffered into a StringWriter), and redirects could be used to pivot to disallowed targets. Consider aligning this implementation with getDataResourceStream() (URLConnetion w/ timeouts, redirects disabled, and a bounded read).
                checkUrlResourceAllowed(url);
                int c;
                try (InputStream in = url.openStream(); StringWriter sw = new StringWriter()) {
                    while ((c = in.read()) != -1) {
                        sw.write(c);
                    }
                    text = sw.toString();

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jacopoc jacopoc merged commit 87adcf4 into apache:trunk Mar 26, 2026
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants