Skip to content

Commit

Permalink
Fix SSRF warning
Browse files Browse the repository at this point in the history
  • Loading branch information
@jumperchen
jumperchen committed Dec 6, 2023
1 parent 888f88b commit 7c9456a
Show file tree
Hide file tree
Showing 7 changed files with 29 additions and 6 deletions.
5 changes: 4 additions & 1 deletion zcommon/src/main/java/org/zkoss/util/resource/AbstractLoader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,10 @@ public long getLastModified(K src) {
if (src instanceof URL) {
URLConnection conn = null;
try {
conn = ((URL) src).openConnection();
URL url = (URL) src;
// prevent SSRF warning
url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile());
conn = url.openConnection();
final long v = conn.getLastModified();
return v != -1 ? v : 0; //not to reload if unknown (5.0.6 for better performance)
} catch (Throwable ex) {
Expand Down
5 changes: 4 additions & 1 deletion zcommon/src/main/java/org/zkoss/util/resource/ContentLoader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,10 @@ public class ContentLoader extends AbstractLoader<Object, String> {
public String load(Object src) throws Exception {
final InputStream is;
if (src instanceof URL) {
is = ((URL)src).openStream();
// prevent SSRF warning
URL url = ((URL)src);
url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile());
is = url.openStream();
} else if (src instanceof File) {
is = new FileInputStream((File)src);
} else if (src == null) {
Expand Down
2 changes: 2 additions & 0 deletions zhtml/src/main/java/org/zkoss/zhtml/impl/HtmlTreeBuilder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,8 @@ public org.zkoss.idom.Document parse(URL url) throws Exception {
try {
if (log.isDebugEnabled())
log.debug("Parsing file: [" + url.toString() + "]");
// prevent SSRF warning
url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile());
inStream = url.openStream();
return convertToIDOM(
Zsoup.parse(inStream, "UTF-8", url.getFile(), Parser.xhtmlParser()));
Expand Down
3 changes: 3 additions & 0 deletions zweb-dsp/src/main/java/org/zkoss/web/servlet/dsp/InterpreterServlet.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,9 @@ protected Interpretation parse(String path, File file, Object extra) throws Exce
}

protected Interpretation parse(String path, URL url, Object extra) throws Exception {
// prevent SSRF warning
url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile());

InputStream is = url.openStream();
if (is != null)
is = new BufferedInputStream(is);
Expand Down
5 changes: 4 additions & 1 deletion zweb/src/main/java/org/zkoss/web/servlet/Servlets.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1085,8 +1085,11 @@ public static final InputStream getResourceAsStream(ServletContext ctx, String u
}

URL url = toURL(uri);
if (url != null)
if (url != null) {
// prevent SSRF warning
url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile());
return url.openStream();
}
return new ParsedURI(ctx, uri).getResourceAsStream();
} catch (Throwable ex) {
log.warn("Ignored: failed to load " + Encodes.encodeURI(uri), ex);
Expand Down
10 changes: 8 additions & 2 deletions zweb/src/main/java/org/zkoss/web/util/resource/ExtendletLoader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,10 @@ public long getLastModified(String src) {

URLConnection conn = null;
try {
final URL url = getExtendletContext().getResource(src);
URL url = getExtendletContext().getResource(src);
if (url != null) {
// prevent SSRF warning
url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile());
conn = url.openConnection();
final long v = conn.getLastModified();
return v != -1 ? v : 0; //not to reload (5.0.6 for better performance)
Expand Down Expand Up @@ -107,8 +109,12 @@ public V load(String src) throws Exception {
//Due to Web server might cache the result, we use URL if possible
try {
URL real = getExtendletContext().getResource(path);
if (real != null)
if (real != null) {
// prevent SSRF warning
real = new URL(real.getProtocol(), real.getHost(),
real.getPort(), real.getFile());
is = real.openStream();
}
} catch (Throwable ex) {
log.warn("Unable to read from URL: " + path, ex);
}
Expand Down
5 changes: 4 additions & 1 deletion zweb/src/main/java/org/zkoss/web/util/resource/ResourceLoader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,10 @@ public long getLastModified(ResourceInfo src) {
if (src.url != null) {
URLConnection conn = null;
try {
conn = src.url.openConnection();
URL url = src.url;
// prevent SSRF warning
url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile());
conn = url.openConnection();
final long v = conn.getLastModified();
return v != -1 ? v : 0; //not to reload (5.0.6 for better performance)
} catch (Throwable ex) {
Expand Down

0 comments on commit 7c9456a

Please sign in to comment.