[
https://issues.apache.org/jira/browse/OFBIZ-12925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17929611#comment-17929611
]
ASF subversion and git services commented on OFBIZ-12925:
---------------------------------------------------------
Commit 40a285623824ecac3a8fa3b77a9c87663969024b in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=40a2856238 ]
Fixed: [codeQL] Resolving specific Java issues (OFBIZ-12925)
This concerns a possible server-side request forgery reported by CodeQL
<<To fix the SSRF vulnerability, we need to ensure that the URL being used in
the readXmlDocument method is validated and restricted to a set of allowed URLs
or domains. This can be achieved by maintaining a whitelist of allowed URLs or
domains and checking the user-provided URL against this list before proceeding
with the request.>>
Fortunately we already have and can use the host-headers-allowed property in
security.properties. Here is the fix.
Conflict handled by hand
> [codeQL] Resolving specific Java issues
> ----------------------------------------
>
> Key: OFBIZ-12925
> URL: https://issues.apache.org/jira/browse/OFBIZ-12925
> Project: OFBiz
> Issue Type: Sub-task
> Components: accounting, framework/base
> Affects Versions: Upcoming Branch
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: Upcoming Branch
>
>
> codeQL reports 3 such issues:
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
