Fixed: [codeQL] Resolving specific Java issues (OFBIZ-12925)

Temporary reverts while trying to understand why testXmlMacroLibrary does not pass :/
apache · Feb 24, 2025 · 9c37c1a · 9c37c1a
1 parent 34ff376
commit 9c37c1a
Showing 1 changed file with 15 additions and 24 deletions.
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
@@ -91,19 +91,18 @@ public final class UtilXml {
     public static final String module = UtilXml.class.getName();
     private static final XStream xstream = createXStream();
     private UtilXml () {}
-    private static final List<String> HOSTHEADERSALLOWED = UtilMisc.getHostHeadersAllowed();
 
     private static XStream createXStream() {
         XStream xstream = new XStream();
-        /* This method is a pure helper method for XStream 1.4.x.
+        /* This method is a pure helper method for XStream 1.4.x. 
          * It initializes an XStream instance with a white list of well-known and simply types of the Java runtime
          *  as it is done in XStream 1.5.x by default. This method will do therefore nothing in XStream 1.5
-         *  and could be removed them
-         */
-        XStream.setupDefaultSecurity(xstream);
-        /* You may want to enhance the white list created by XStream::setupDefaultSecurity (or by default with XStream 1.5)
+         *  and could be removed them  
+         */ 
+        XStream.setupDefaultSecurity(xstream); 
+        /* You may want to enhance the white list created by XStream::setupDefaultSecurity (or by default with XStream 1.5) 
          * using xstream::allowTypesByWildcard with your own classes
-         */
+         */  
         return xstream;
     }
 
@@ -404,13 +403,9 @@ public static Document readXmlDocument(URL url, boolean validate)
 
     public static Document readXmlDocument(URL url, boolean validate, boolean withPosition)
             throws SAXException, ParserConfigurationException, java.io.IOException {
-
-        // url.getHost().isEmpty() when reading an XML file
-        if (!HOSTHEADERSALLOWED.contains(url.getHost()) && !url.getHost().isEmpty()) {
-            Debug.logWarning("Domain " + url.getHost() + " not accepted to prevent host header injection."
-                    + " You need to set host-headers-allowed property in security.properties file.", module);
-            throw new IOException("Domain " + url.getHost() + " not accepted to prevent host header injection."
-                    + " You need to set host-headers-allowed property in security.properties file.");
+        if (url == null) {
+            Debug.logWarning("[UtilXml.readXmlDocument] URL was null, doing nothing", module);
+            return null;
         }
         InputStream is = url.openStream();
         Document document = readXmlDocument(is, validate, url.toString(), withPosition);
@@ -1061,8 +1056,7 @@ public LocalResolver(EntityResolver defaultResolver) {
          * @param systemId - System ID of DTD
          * @return InputSource of DTD
          */
-        @Override
-		public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
             hasDTD = false;
             String dtd = UtilProperties.getSplitPropertyValue(UtilURL.fromResource("localdtds.properties"), publicId);
             if (UtilValidate.isNotEmpty(dtd)) {
@@ -1144,8 +1138,7 @@ public LocalErrorHandler(String docDescription, LocalResolver localResolver) {
             this.localResolver = localResolver;
         }
 
-        @Override
-		public void error(SAXParseException exception) {
+        public void error(SAXParseException exception) {
             String exceptionMessage = exception.getMessage();
             Pattern valueFlexExpr = Pattern.compile("value '\\$\\{.*\\}'");
             Matcher matcher = valueFlexExpr.matcher(exceptionMessage.toLowerCase());
@@ -1160,8 +1153,7 @@ public void error(SAXParseException exception) {
             }
         }
 
-        @Override
-		public void fatalError(SAXParseException exception) {
+        public void fatalError(SAXParseException exception) {
             if (localResolver.hasDTD()) {
                 Debug.logError("XmlFileLoader: File "
                     + docDescription
@@ -1173,8 +1165,7 @@ public void fatalError(SAXParseException exception) {
             }
         }
 
-        @Override
-		public void warning(SAXParseException exception) {
+        public void warning(SAXParseException exception) {
             if (localResolver.hasDTD()) {
                 Debug.logError("XmlFileLoader: File "
                     + docDescription
@@ -1189,7 +1180,7 @@ public void warning(SAXParseException exception) {
 
     /** This method is now useless
      * Enhance rather the white list created by XStream::setupDefaultSecurity
-     * using xstream::allowTypesByWildcard with your own classes
+     * using xstream::allowTypesByWildcard with your own classes  
      */
     @Deprecated
     private static class UnsupportedClassConverter implements Converter {
@@ -1234,7 +1225,7 @@ public static String getNodeNameIgnorePrefix(Node node){
      * get tag name without any prefix
      * @param element
      * @return tagName
-     */
+     */ 
     public static String getTagNameIgnorePrefix(Element element){
         if (element==null) {
             return null;