This is an automated email from the ASF dual-hosted git repository.
deepak pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new ffb1bc4879 Improved: Added validation to screen/script URI to block
URL patterns. Throw an error if the script location contains a URL.
(OFBIZ-13132)
ffb1bc4879 is described below
commit ffb1bc487983fa672ac4fbeccf7ed7175e2accd3
Author: Deepak Dixit <[email protected]>
AuthorDate: Fri Aug 30 00:12:48 2024 +0530
Improved: Added validation to screen/script URI to block URL patterns.
Throw an error if the script location contains a URL. (OFBIZ-13132)
---
.../base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java | 2 +-
.../base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java | 6 ++++++
.../src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java | 2 +-
3 files changed, 8 insertions(+), 2 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java
index acb54bc7a0..b588e6caad 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java
@@ -152,7 +152,7 @@ public class GroovyUtil {
Class<?> scriptClass = parsedScripts.get(location);
if (scriptClass == null) {
URL scriptUrl = FlexibleLocation.resolveLocation(location);
- if (scriptUrl == null) {
+ if (scriptUrl == null ||
UtilValidate.urlInString(scriptUrl.toString())) {
throw new GeneralException("Script not found at location
[" + location + "]");
}
if (groovyScriptClassLoader != null) {
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
index 44ba579d3b..f7800ddacf 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
@@ -136,6 +136,9 @@ public final class ScriptUtil {
try {
Compilable compilableEngine = (Compilable) engine;
URL scriptUrl = FlexibleLocation.resolveLocation(filePath);
+ if (scriptUrl == null ||
UtilValidate.urlInString(scriptUrl.toString())) {
+ throw new ScriptException("Script not found at location ["
+ filePath + "]");
+ }
BufferedReader reader = new BufferedReader(new
InputStreamReader(scriptUrl.openStream(), UtilIO
.getUtf8()));
script = compilableEngine.compile(reader);
@@ -384,6 +387,9 @@ public final class ScriptUtil {
}
engine.setContext(scriptContext);
URL scriptUrl = FlexibleLocation.resolveLocation(filePath);
+ if (scriptUrl == null ||
UtilValidate.urlInString(scriptUrl.toString())) {
+ throw new ScriptException("Script not found at location [" +
filePath + "]");
+ }
try (
InputStreamReader reader = new InputStreamReader(new
FileInputStream(scriptUrl.getFile()), UtilIO
.getUtf8());) {
diff --git
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java
index 6cb602b842..51a047767a 100644
---
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java
+++
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java
@@ -115,7 +115,7 @@ public class ScreenFactory {
long startTime = System.currentTimeMillis();
URL screenFileUrl = null;
screenFileUrl =
FlexibleLocation.resolveLocation(resourceName);
- if (screenFileUrl == null) {
+ if (screenFileUrl == null ||
UtilValidate.urlInString(screenFileUrl.toString())) {
throw new IllegalArgumentException("Could not resolve
location to URL: " + resourceName);
}
Document screenFileDoc =
UtilXml.readXmlDocument(screenFileUrl, true, true);
