(cxf) branch 4.0.x-fixes updated: Forbid LDAP/RMI from JndiHelper (#2414)

Tue, 20 May 2025 07:58:08 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 4.0.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/4.0.x-fixes by this push:
     new 4f717df024 Forbid LDAP/RMI from JndiHelper (#2414)
4f717df024 is described below

commit 4f717df024c7a218f1ba56fda1dfe0fb430a3959
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Tue May 20 15:47:32 2025 +0100

    Forbid LDAP/RMI from JndiHelper (#2414)
    
    (cherry picked from commit 24e50ffeca3132570c2f297c5c7dbd05a1bb1bfa)
---
 .../apache/cxf/transport/jms/util/JndiHelper.java  |  7 +++++++
 .../cxf/transport/jms/JMSConfigFactoryTest.java    | 23 ++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git 
a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
 
b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
index 009443db36..1f07ac0ffc 100644
--- 
a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
+++ 
b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
@@ -34,6 +34,13 @@ public class JndiHelper {
      */
     public JndiHelper(Properties environment) {
         this.environment = environment;
+
+        // Avoid unsafe protocols if they are somehow misconfigured
+        String providerUrl = environment.getProperty(Context.PROVIDER_URL);
+        if (providerUrl != null && (providerUrl.startsWith("ldap://";)
+                || providerUrl.startsWith("rmi://"))) {
+            throw new IllegalArgumentException("Unsafe protocol in JNDI URL: " 
+ providerUrl);
+        }
     }
 
     @SuppressWarnings("unchecked")
diff --git 
a/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java
 
b/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java
index 8d55453203..8ac1f79d26 100644
--- 
a/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java
+++ 
b/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java
@@ -19,6 +19,9 @@
 
 package org.apache.cxf.transport.jms;
 
+import java.util.Properties;
+
+import javax.naming.Context;
 import javax.naming.NamingException;
 import javax.transaction.xa.XAException;
 
@@ -35,6 +38,26 @@ import org.junit.Test;
 
 public class JMSConfigFactoryTest extends AbstractJMSTester {
 
+    @Test
+    public void testJndiForbiddenProtocol() throws Exception {
+        Properties env = new Properties();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, 
"com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:12345";);
+        // Allow following referrals (important for LDAP injection)
+        env.put(Context.REFERRAL, "follow");
+        
+        JMSConfiguration jmsConfig = new JMSConfiguration();
+        jmsConfig.setJndiEnvironment(env);
+        jmsConfig.setConnectionFactoryName("objectName");
+        
+        try {
+            jmsConfig.getConnectionFactory();
+            Assert.fail("JNDI lookup should have failed");
+        } catch (Exception e) {
+            Assert.assertTrue(e.getMessage().contains("Unsafe protocol in JNDI 
URL"));
+        }
+    }
+
     @Test
     public void testUsernameAndPassword() throws Exception {
         EndpointInfo ei = setupServiceInfo("HelloWorldService", 
"HelloWorldPort");

Reply via email to