(cxf) 01/01: Forbid LDAP/RMI from JndiHelper

Tue, 20 May 2025 02:52:47 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch coheigea/jndi-protocol
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit c4a59cf30019f0f9e81ae2a5ea6fad98aafb74b5
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Tue May 20 10:52:22 2025 +0100

    Forbid LDAP/RMI from JndiHelper
---
 .../apache/cxf/transport/jms/util/JndiHelper.java  |  7 +++++++
 .../cxf/transport/jms/JMSConfigFactoryTest.java    | 24 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git 
a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
 
b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
index 009443db36..1f07ac0ffc 100644
--- 
a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
+++ 
b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
@@ -34,6 +34,13 @@ public class JndiHelper {
      */
     public JndiHelper(Properties environment) {
         this.environment = environment;
+
+        // Avoid unsafe protocols if they are somehow misconfigured
+        String providerUrl = environment.getProperty(Context.PROVIDER_URL);
+        if (providerUrl != null && (providerUrl.startsWith("ldap://";)
+                || providerUrl.startsWith("rmi://"))) {
+            throw new IllegalArgumentException("Unsafe protocol in JNDI URL: " 
+ providerUrl);
+        }
     }
 
     @SuppressWarnings("unchecked")
diff --git 
a/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java
 
b/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java
index 8d55453203..b52b7b6952 100644
--- 
a/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java
+++ 
b/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java
@@ -19,9 +19,13 @@
 
 package org.apache.cxf.transport.jms;
 
+import java.util.Properties;
+
 import javax.naming.NamingException;
 import javax.transaction.xa.XAException;
 
+import javax.naming.Context;
+
 import jakarta.transaction.TransactionManager;
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
@@ -35,6 +39,26 @@ import org.junit.Test;
 
 public class JMSConfigFactoryTest extends AbstractJMSTester {
 
+    @Test
+    public void testJndiForbiddenProtocol() throws Exception {
+        Properties env = new Properties();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, 
"com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:12345";);
+        // Allow following referrals (important for LDAP injection)
+        env.put(Context.REFERRAL, "follow");
+        
+        JMSConfiguration jmsConfig = new JMSConfiguration();
+        jmsConfig.setJndiEnvironment(env);
+        jmsConfig.setConnectionFactoryName("objectName");
+        
+        try {
+            jmsConfig.getConnectionFactory();
+            Assert.fail("JNDI lookup should have failed");
+        } catch (Exception e) {
+            Assert.assertTrue(e.getMessage().contains("Unsafe protocol in JNDI 
URL"));
+        }
+    }
+
     @Test
     public void testUsernameAndPassword() throws Exception {
         EndpointInfo ei = setupServiceInfo("HelloWorldService", 
"HelloWorldPort");

Reply via email to