This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch coheigea/misc-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 625042c571b80ed11b2d1e56a74efeeb1973ed09 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Tue May 12 09:44:48 2026 +0100 Use URIResolver allowlist for protocols in the STSClient --- .../cxf/ws/security/trust/AbstractSTSClient.java | 6 +++++- .../ws/security/trust/AbstractSTSClientTest.java | 23 ++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java index fd7a0eac05c..9c4aac9dbd2 100755 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java @@ -79,6 +79,7 @@ import org.apache.cxf.jaxws.JaxWsProxyFactoryBean; import org.apache.cxf.message.Attachment; import org.apache.cxf.message.Message; import org.apache.cxf.phase.PhaseInterceptorChain; +import org.apache.cxf.resource.URIResolver; import org.apache.cxf.rt.security.claims.ClaimCollection; import org.apache.cxf.rt.security.utils.SecurityUtils; import org.apache.cxf.service.Service; @@ -640,7 +641,10 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); DocumentBuilder documentBuilder = dbf.newDocumentBuilder(); - Document document = documentBuilder.parse(schemaLocation); + Document document; + try (URIResolver resolver = new URIResolver(schemaLocation)) { + document = documentBuilder.parse(resolver.getInputStream()); + } return document.getDocumentElement(); } diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AbstractSTSClientTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AbstractSTSClientTest.java index e91232220d3..61887908bb4 100644 --- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AbstractSTSClientTest.java +++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AbstractSTSClientTest.java @@ -33,6 +33,7 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; public class AbstractSTSClientTest { @@ -78,6 +79,18 @@ public class AbstractSTSClientTest { assertEquals(0, client.getDownloadSchemaInvocations()); } + @Test + public void testFtpProtocolAttemptedDownload() throws Exception { + DownloadingAbstractSTSClient client = new DownloadingAbstractSTSClient(null); + try { + client.downloadSchemaWithDefaultResolver("ftp://example.org/schema.xsd";); + fail("Expected an exception for disallowed ftp:// scheme"); + } catch (Exception ex) { + assertTrue(ex.getMessage().contains("ftp")); + assertTrue(ex.getMessage().contains("not permitted")); + } + } + private static final class TestableAbstractSTSClient extends AbstractSTSClient { private int downloadSchemaInvocations; private String lastDownloadedLocation; @@ -102,4 +115,14 @@ public class AbstractSTSClientTest { return lastDownloadedLocation; } } + + private static final class DownloadingAbstractSTSClient extends AbstractSTSClient { + DownloadingAbstractSTSClient(Bus bus) { + super(bus); + } + + Element downloadSchemaWithDefaultResolver(String schemaLocation) throws Exception { + return super.downloadSchema(schemaLocation); + } + } }
