[
https://issues.apache.org/jira/browse/OFBIZ-12925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17929613#comment-17929613
]
ASF subversion and git services commented on OFBIZ-12925:
---------------------------------------------------------
Commit 2026c88e91ca0f6a7d4adb18a78e9593a897f099 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=2026c88e91 ]
Fixed: [codeQL] Resolving specific Java issues (OFBIZ-12925)
This concerns a possible server-side request forgery reported by CodeQL
<<To fix the SSRF vulnerability, we need to ensure that the URL being used in
the readXmlDocument method is validated and restricted to a set of allowed URLs
or domains. This can be achieved by maintaining a whitelist of allowed URLs or
domains and checking the user-provided URL against this list before proceeding
with the request.>>
Fortunately we already have and can use the host-headers-allowed property in
security.properties. Here is the fix.
While a it improves RequestHandler by setting HOSTHEADERSALLOWED as static
> [codeQL] Resolving specific Java issues
> ----------------------------------------
>
> Key: OFBIZ-12925
> URL: https://issues.apache.org/jira/browse/OFBIZ-12925
> Project: OFBiz
> Issue Type: Sub-task
> Components: accounting, framework/base
> Affects Versions: Upcoming Branch
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: Upcoming Branch
>
>
> codeQL reports 3 such issues:
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
