You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/09/13 07:30:36 UTC

[ofbiz-framework] branch trunk updated (de1e9e4 -> 7a22a2b)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.


    from de1e9e4  Improved: Convert ShoppingListServices.xml mini lang to groovy (OFBIZ-11602)
     new 67665d1  Fixed: Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo (OFBIZ-12306)
     new 7a22a2b  Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../main/java/org/apache/ofbiz/base/util/UtilURL.java  |  2 +-
 .../java/org/apache/ofbiz/base/util/UtilValidate.java  | 18 ++++++++++++++++--
 .../groovyScripts/artifactinfo/ArtifactInfo.groovy     | 10 +++++++---
 .../org/apache/ofbiz/webtools/WebToolsServices.java    |  5 +++++
 4 files changed, 29 insertions(+), 6 deletions(-)

[ofbiz-framework] 02/02: Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)

Posted by jl...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 7a22a2bfc9e3fdb80a49b9ccf7de441f46d43e2c
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Sep 13 08:13:55 2021 +0200

    Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
    
    The XXE vulnerability can read arbitrary files on the server.
    
    Thanks: thiscodecc for reporting this security issue (post-auth)
---
 .../java/org/apache/ofbiz/base/util/UtilValidate.java  | 18 ++++++++++++++++--
 .../org/apache/ofbiz/webtools/WebToolsServices.java    |  5 +++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
index bf37d93..8117565 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
@@ -620,8 +620,9 @@ public final class UtilValidate {
         return true;
     }
 
-    /** isUrl returns true if the string contains ://
-     * @param s String to validate
+    /**
+     * isUrl returns true if the string contains ://
+     * @param s String to validate Note: this does not handle "component://" specific to OFBiz
      * @return true if s contains ://
      */
     public static boolean isUrl(String s) {
@@ -632,6 +633,18 @@ public final class UtilValidate {
     }
 
     /**
+     * urlInString returns true if the string contains :// and not "component://"
+     * @param s String to validate
+     * @return true if s contains :// and not "component://"
+     */
+    public static boolean urlInString(String s) {
+        if (isEmpty(s) || s.contains("component://")) {
+            return false;
+        }
+        return s.indexOf("://") != -1;
+    }
+
+    /**
      * isValidUrl returns true if the string is a valid URL (using Commons UrlValidator)
      * @param s String to validate
      * @return true if s contains if the string is a valid URL (using Commons UrlValidator)
@@ -643,6 +656,7 @@ public final class UtilValidate {
         return UrlValidator.getInstance().isValid(s);
     }
 
+
     /** isYear returns true if string s is a valid
      *  Year number.  Must be 2 or 4 digits only.
      *  For Year 2000 compliance, you are advised
diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index 5339e0f..aa12650 100644
--- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -145,6 +145,11 @@ public class WebToolsServices {
         // #############################
         // FM Template
         // #############################
+        if (UtilValidate.urlInString(fulltext)) {
+            Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE);
+            Debug.logInfo("Rather load your data from a file", MODULE);
+            return null;
+        }
         if (UtilValidate.isNotEmpty(fmfilename) && (UtilValidate.isNotEmpty(fulltext) || url != null)) {
             File fmFile = new File(fmfilename);
             if (!fmFile.exists()) {

[ofbiz-framework] 01/02: Fixed: Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo (OFBIZ-12306)

Posted by jl...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 67665d1a9e59912e64d4d891d55c81b967a119ca
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Sep 13 08:10:14 2021 +0200

    Fixed: Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo (OFBIZ-12306)
    
    The XXE vulnerability can read arbitrary files on the server.
    
    Thanks: thiscodecc for reporting this security issue (post-auth)
---
 .../base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java |  2 +-
 .../webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy    | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java
index 4d45255..e1655f8 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java
@@ -143,8 +143,8 @@ public final class UtilURL {
         try {
             url = new URL(urlString);
         } catch (MalformedURLException e) {
+            // We purposely don't want to do anything here
         }
-
         return url;
     }
 
diff --git a/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy b/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy
index 7edebdf..afa2cb5 100644
--- a/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy
+++ b/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy
@@ -17,12 +17,16 @@
  * under the License.
  */
 
-import org.apache.ofbiz.entity.Delegator
-import org.apache.ofbiz.webtools.artifactinfo.*
-import org.apache.ofbiz.base.util.*
+import org.apache.ofbiz.base.util.Debug
+import org.apache.ofbiz.base.util.UtilURL
+import org.apache.ofbiz.webtools.artifactinfo.ArtifactInfoFactory
 
 name = parameters.name
 location = parameters.location
+if (UtilURL.fromUrlString(location)) {
+    Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12306", "ArtifactInfo.groovy")
+    return
+}
 type = parameters.type
 uniqueId = parameters.uniqueId
 delegatorName = delegator.getDelegatorName()