Improved: Added validation to screen/script URI to block URL patterns. Throw an error if the script location contains a URL. (OFBIZ-13132)

dixitdeepak · dixitdeepak · commit ffb1bc487983 · 2024-08-30T00:12:48.000+05:30
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java
@@ -152,7 +152,7 @@ public static Class<?> getScriptClassFromLocation(String location) throws Genera
             Class<?> scriptClass = parsedScripts.get(location);
             if (scriptClass == null) {
                 URL scriptUrl = FlexibleLocation.resolveLocation(location);
-                if (scriptUrl == null) {
+                if (scriptUrl == null || UtilValidate.urlInString(scriptUrl.toString())) {
                     throw new GeneralException("Script not found at location [" + location + "]");
                 }
                 if (groovyScriptClassLoader != null) {
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
@@ -136,6 +136,9 @@ public static CompiledScript compileScriptFile(String filePath) throws ScriptExc
             try {
                 Compilable compilableEngine = (Compilable) engine;
                 URL scriptUrl = FlexibleLocation.resolveLocation(filePath);
+                if (scriptUrl == null || UtilValidate.urlInString(scriptUrl.toString())) {
+                    throw new ScriptException("Script not found at location [" + filePath + "]");
+                }
                 BufferedReader reader = new BufferedReader(new InputStreamReader(scriptUrl.openStream(), UtilIO
                         .getUtf8()));
                 script = compilableEngine.compile(reader);
@@ -384,6 +387,9 @@ public static Object executeScript(String filePath, String functionName, ScriptC
         }
         engine.setContext(scriptContext);
         URL scriptUrl = FlexibleLocation.resolveLocation(filePath);
+        if (scriptUrl == null || UtilValidate.urlInString(scriptUrl.toString())) {
+            throw new ScriptException("Script not found at location [" + filePath + "]");
+        }
         try (
                 InputStreamReader reader = new InputStreamReader(new FileInputStream(scriptUrl.getFile()), UtilIO
                         .getUtf8());) {
diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ScreenFactory.java
@@ -115,7 +115,7 @@ public static Map<String, ModelScreen> getScreensFromLocation(String resourceNam
                     long startTime = System.currentTimeMillis();
                     URL screenFileUrl = null;
                     screenFileUrl = FlexibleLocation.resolveLocation(resourceName);
-                    if (screenFileUrl == null) {
+                    if (screenFileUrl == null ||  UtilValidate.urlInString(screenFileUrl.toString())) {
                         throw new IllegalArgumentException("Could not resolve location to URL: " + resourceName);
                     }
                     Document screenFileDoc = UtilXml.readXmlDocument(screenFileUrl, true, true);

Original file line number	Diff line number	Diff line change
`@@ -152,7 +152,7 @@ public static Class<?> getScriptClassFromLocation(String location) throws Genera`
`152`	`152`	`Class<?> scriptClass = parsedScripts.get(location);`
`153`	`153`	`if (scriptClass == null) {`
`154`	`154`	`URL scriptUrl = FlexibleLocation.resolveLocation(location);`
`155`		`- if (scriptUrl == null) {`
	`155`	`+ if (scriptUrl == null \|\| UtilValidate.urlInString(scriptUrl.toString())) {`
`156`	`156`	`throw new GeneralException("Script not found at location [" + location + "]");`
`157`	`157`	`}`
`158`	`158`	`if (groovyScriptClassLoader != null) {`
Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,7 @@ public static Map<String, ModelScreen> getScreensFromLocation(String resourceNam`
`115`	`115`	`long startTime = System.currentTimeMillis();`
`116`	`116`	`URL screenFileUrl = null;`
`117`	`117`	`screenFileUrl = FlexibleLocation.resolveLocation(resourceName);`
`118`		`- if (screenFileUrl == null) {`
	`118`	`+ if (screenFileUrl == null \|\| UtilValidate.urlInString(screenFileUrl.toString())) {`
`119`	`119`	`throw new IllegalArgumentException("Could not resolve location to URL: " + resourceName);`
`120`	`120`	`}`
`121`	`121`	`Document screenFileDoc = UtilXml.readXmlDocument(screenFileUrl, true, true);`