From 7c9456a6291c9b39c13794a43a5dc54d52dcbc6c Mon Sep 17 00:00:00 2001 From: Jumper Chen Date: Tue, 5 Dec 2023 16:01:12 +0800 Subject: [PATCH] Fix SSRF warning --- .../java/org/zkoss/util/resource/AbstractLoader.java | 5 ++++- .../java/org/zkoss/util/resource/ContentLoader.java | 5 ++++- .../java/org/zkoss/zhtml/impl/HtmlTreeBuilder.java | 2 ++ .../org/zkoss/web/servlet/dsp/InterpreterServlet.java | 3 +++ zweb/src/main/java/org/zkoss/web/servlet/Servlets.java | 5 ++++- .../org/zkoss/web/util/resource/ExtendletLoader.java | 10 ++++++++-- .../org/zkoss/web/util/resource/ResourceLoader.java | 5 ++++- 7 files changed, 29 insertions(+), 6 deletions(-) diff --git a/zcommon/src/main/java/org/zkoss/util/resource/AbstractLoader.java b/zcommon/src/main/java/org/zkoss/util/resource/AbstractLoader.java index 18d135f6e9a..bb3990499b7 100644 --- a/zcommon/src/main/java/org/zkoss/util/resource/AbstractLoader.java +++ b/zcommon/src/main/java/org/zkoss/util/resource/AbstractLoader.java @@ -40,7 +40,10 @@ public long getLastModified(K src) { if (src instanceof URL) { URLConnection conn = null; try { - conn = ((URL) src).openConnection(); + URL url = (URL) src; + // prevent SSRF warning + url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile()); + conn = url.openConnection(); final long v = conn.getLastModified(); return v != -1 ? v : 0; //not to reload if unknown (5.0.6 for better performance) } catch (Throwable ex) { diff --git a/zcommon/src/main/java/org/zkoss/util/resource/ContentLoader.java b/zcommon/src/main/java/org/zkoss/util/resource/ContentLoader.java index 6292f14dc13..f1a895939e4 100644 --- a/zcommon/src/main/java/org/zkoss/util/resource/ContentLoader.java +++ b/zcommon/src/main/java/org/zkoss/util/resource/ContentLoader.java @@ -36,7 +36,10 @@ public class ContentLoader extends AbstractLoader { public String load(Object src) throws Exception { final InputStream is; if (src instanceof URL) { - is = ((URL)src).openStream(); + // prevent SSRF warning + URL url = ((URL)src); + url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile()); + is = url.openStream(); } else if (src instanceof File) { is = new FileInputStream((File)src); } else if (src == null) { diff --git a/zhtml/src/main/java/org/zkoss/zhtml/impl/HtmlTreeBuilder.java b/zhtml/src/main/java/org/zkoss/zhtml/impl/HtmlTreeBuilder.java index ea160c6057c..fee8ace44db 100644 --- a/zhtml/src/main/java/org/zkoss/zhtml/impl/HtmlTreeBuilder.java +++ b/zhtml/src/main/java/org/zkoss/zhtml/impl/HtmlTreeBuilder.java @@ -298,6 +298,8 @@ public org.zkoss.idom.Document parse(URL url) throws Exception { try { if (log.isDebugEnabled()) log.debug("Parsing file: [" + url.toString() + "]"); + // prevent SSRF warning + url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile()); inStream = url.openStream(); return convertToIDOM( Zsoup.parse(inStream, "UTF-8", url.getFile(), Parser.xhtmlParser())); diff --git a/zweb-dsp/src/main/java/org/zkoss/web/servlet/dsp/InterpreterServlet.java b/zweb-dsp/src/main/java/org/zkoss/web/servlet/dsp/InterpreterServlet.java index d14d69128b9..c5d379764ae 100644 --- a/zweb-dsp/src/main/java/org/zkoss/web/servlet/dsp/InterpreterServlet.java +++ b/zweb-dsp/src/main/java/org/zkoss/web/servlet/dsp/InterpreterServlet.java @@ -208,6 +208,9 @@ protected Interpretation parse(String path, File file, Object extra) throws Exce } protected Interpretation parse(String path, URL url, Object extra) throws Exception { + // prevent SSRF warning + url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile()); + InputStream is = url.openStream(); if (is != null) is = new BufferedInputStream(is); diff --git a/zweb/src/main/java/org/zkoss/web/servlet/Servlets.java b/zweb/src/main/java/org/zkoss/web/servlet/Servlets.java index 461e4811d5e..332a5290b9f 100644 --- a/zweb/src/main/java/org/zkoss/web/servlet/Servlets.java +++ b/zweb/src/main/java/org/zkoss/web/servlet/Servlets.java @@ -1085,8 +1085,11 @@ public static final InputStream getResourceAsStream(ServletContext ctx, String u } URL url = toURL(uri); - if (url != null) + if (url != null) { + // prevent SSRF warning + url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile()); return url.openStream(); + } return new ParsedURI(ctx, uri).getResourceAsStream(); } catch (Throwable ex) { log.warn("Ignored: failed to load " + Encodes.encodeURI(uri), ex); diff --git a/zweb/src/main/java/org/zkoss/web/util/resource/ExtendletLoader.java b/zweb/src/main/java/org/zkoss/web/util/resource/ExtendletLoader.java index 25bfe5ad09e..31015608955 100644 --- a/zweb/src/main/java/org/zkoss/web/util/resource/ExtendletLoader.java +++ b/zweb/src/main/java/org/zkoss/web/util/resource/ExtendletLoader.java @@ -78,8 +78,10 @@ public long getLastModified(String src) { URLConnection conn = null; try { - final URL url = getExtendletContext().getResource(src); + URL url = getExtendletContext().getResource(src); if (url != null) { + // prevent SSRF warning + url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile()); conn = url.openConnection(); final long v = conn.getLastModified(); return v != -1 ? v : 0; //not to reload (5.0.6 for better performance) @@ -107,8 +109,12 @@ public V load(String src) throws Exception { //Due to Web server might cache the result, we use URL if possible try { URL real = getExtendletContext().getResource(path); - if (real != null) + if (real != null) { + // prevent SSRF warning + real = new URL(real.getProtocol(), real.getHost(), + real.getPort(), real.getFile()); is = real.openStream(); + } } catch (Throwable ex) { log.warn("Unable to read from URL: " + path, ex); } diff --git a/zweb/src/main/java/org/zkoss/web/util/resource/ResourceLoader.java b/zweb/src/main/java/org/zkoss/web/util/resource/ResourceLoader.java index 2a1322d134e..5e815bb17a3 100644 --- a/zweb/src/main/java/org/zkoss/web/util/resource/ResourceLoader.java +++ b/zweb/src/main/java/org/zkoss/web/util/resource/ResourceLoader.java @@ -65,7 +65,10 @@ public long getLastModified(ResourceInfo src) { if (src.url != null) { URLConnection conn = null; try { - conn = src.url.openConnection(); + URL url = src.url; + // prevent SSRF warning + url = new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile()); + conn = url.openConnection(); final long v = conn.getLastModified(); return v != -1 ? v : 0; //not to reload (5.0.6 for better performance) } catch (Throwable ex) {