(logging-log4j2) branch 2.x updated: fix: Add `resource:` protocol to allowed URL schemes by default (#3795)

pkarwasz Fri, 04 Jul 2025 11:33:29 -0700

This is an automated email from the ASF dual-hosted git repository.

pkarwasz pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git



The following commit(s) were added to refs/heads/2.x by this push:
     new c5a1955789 fix: Add `resource:` protocol to allowed URL schemes by 
default (#3795)
c5a1955789 is described below

commit c5a19557899ce751eb2841d0e7491b535bec2524
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Fri Jul 4 20:33:11 2025 +0200

    fix: Add `resource:` protocol to allowed URL schemes by default (#3795)
    
    * fix: Add `resource:` protocol to allowed URL schemes by default
    
    This update includes `resource:` in the list of allowed URL schemes for 
retrieving configuration files.
    See 
[`log4j2.configurationAllowedProtocols`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.configurationAllowedProtocols)
    
    Currently, the `resource:` protocol is used exclusively by a 
`URLStreamHandler` that retrieves files from the embedded resources in a 
GraalVM native image. This makes it a secure and appropriate source for trusted 
configuration files.
    
    This change cannot be easily and reliably tested through a unit test. An 
integration test will be provided in apache/logging-log4j-samples#345
    
    Closes #3790
    
    * fix: Add `resource` protocol only in native images
    
    This change introduces an internal `SystemUtils.isGraalVm()` method to 
detect the presence of GraalVM and enable the `resource` protocol.
    
    * Reword changelog entry
    
    ---------
    
    Co-authored-by: Volkan Yazıcı <[email protected]>
---
 .../logging/log4j/core/net/UrlConnectionFactory.java | 20 +++++++++++++++++++-
 .../log4j/core/util/internal/SystemUtils.java        | 16 ++++++++++++++++
 .../.2.x.x/3790_allow-resource-protocol.xml          | 12 ++++++++++++
 .../properties-transport-security.adoc               | 14 +++++++++++---
 4 files changed, 58 insertions(+), 4 deletions(-)

diff --git 
a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java
 
b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java
index e6ba2a1366..e98d3d9a9d 100644
--- 
a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java
+++ 
b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java
@@ -33,6 +33,7 @@ import 
org.apache.logging.log4j.core.net.ssl.LaxHostnameVerifier;
 import org.apache.logging.log4j.core.net.ssl.SslConfiguration;
 import org.apache.logging.log4j.core.net.ssl.SslConfigurationFactory;
 import org.apache.logging.log4j.core.util.AuthorizationProvider;
+import org.apache.logging.log4j.core.util.internal.SystemUtils;
 import org.apache.logging.log4j.util.PropertiesUtil;
 import org.apache.logging.log4j.util.Strings;
 
@@ -51,7 +52,24 @@ public class UrlConnectionFactory {
     private static final String HTTP = "http";
     private static final String HTTPS = "https";
     private static final String JAR = "jar";
-    private static final String DEFAULT_ALLOWED_PROTOCOLS = "https, file, jar";
+    /**
+     * Default list of protocols that are allowed to be used for configuration 
files and other trusted resources.
+     * <p>
+     *     By default, we trust the following protocols:
+     * <dl>
+     *     <dt>file</dt>
+     *     <dd>Local files</dd>
+     *     <dt>https</dt>
+     *     <dd>Resources retrieved through TLS to guarantee their 
integrity</dd>
+     *     <dt>jar</dt>
+     *     <dd>Resources retrieved from JAR files</dd>
+     *     <dt>resource</dt>
+     *     <dd>Resources embedded in a GraalVM native image</dd>
+     * </dl>
+     */
+    private static final String DEFAULT_ALLOWED_PROTOCOLS =
+            SystemUtils.isGraalVm() ? "file, https, jar, resource" : "file, 
https, jar";
+
     private static final String NO_PROTOCOLS = "_none";
     public static final String ALLOWED_PROTOCOLS = 
"log4j2.Configuration.allowedProtocols";
 
diff --git 
a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/internal/SystemUtils.java
 
b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/internal/SystemUtils.java
index b7b3d9cbb4..23d60ce688 100644
--- 
a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/internal/SystemUtils.java
+++ 
b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/internal/SystemUtils.java
@@ -36,5 +36,21 @@ public final class SystemUtils {
         return getJavaVendor().contains("Android");
     }
 
+    /**
+     * Checks if the current runtime is GraalVM.
+     * <p>
+     *     See <a 
href="https://www.graalvm.org/sdk/javadoc/org/graalvm/nativeimage/ImageInfo.html#PROPERTY_IMAGE_CODE_KEY";>ImageInfo.PROPERTY_IMAGE_CODE_KEY</a>.
+     * </p>
+     * @return true if the current runtime is GraalVM, false otherwise.
+     */
+    public static boolean isGraalVm() {
+        try {
+            return System.getProperty("org.graalvm.nativeimage.imagecode") != 
null;
+        } catch (final SecurityException e) {
+            LOGGER.debug("Unable to determine if the current runtime is 
GraalVM.", e);
+            return false;
+        }
+    }
+
     private SystemUtils() {}
 }
diff --git a/src/changelog/.2.x.x/3790_allow-resource-protocol.xml 
b/src/changelog/.2.x.x/3790_allow-resource-protocol.xml
new file mode 100644
index 0000000000..ffa3c80e30
--- /dev/null
+++ b/src/changelog/.2.x.x/3790_allow-resource-protocol.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns="https://logging.apache.org/xml/ns";
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+       xsi:schemaLocation="
+           https://logging.apache.org/xml/ns
+           https://logging.apache.org/xml/ns/log4j-changelog-0.xsd";
+       type="fixed">
+  <issue id="3790" 
link="https://github.com/apache/logging-log4j2/issues/3790"/>
+  <description format="asciidoc">
+    Allow `resource:` protocol for configuration files by default, if the 
current runtime is GraalVM.
+  </description>
+</entry>
diff --git 
a/src/site/antora/modules/ROOT/partials/manual/systemproperties/properties-transport-security.adoc
 
b/src/site/antora/modules/ROOT/partials/manual/systemproperties/properties-transport-security.adoc
index 445c9ec541..3c662698c9 100644
--- 
a/src/site/antora/modules/ROOT/partials/manual/systemproperties/properties-transport-security.adoc
+++ 
b/src/site/antora/modules/ROOT/partials/manual/systemproperties/properties-transport-security.adoc
@@ -21,9 +21,17 @@
 
 [cols="1h,5"]
 |===
-| Env. variable | `LOG4J_CONFIGURATION_ALLOWED_PROTOCOLS`
-| Type          | Comma-separated list of 
https://docs.oracle.com/javase/{java-target-version}/docs/api/java/net/URL.html[`URL`]
 protocols
-| Default value | `file, https, jar`
+| Env. variable
+| `LOG4J_CONFIGURATION_ALLOWED_PROTOCOLS`
+
+| Type
+| Comma-separated list of 
https://docs.oracle.com/javase/{java-target-version}/docs/api/java/net/URL.html[`URL`]
 protocols
+
+| Default value
+|
+`file, https, jar` (JVM)
+
+`file, https, jar, resource` (GraalVM)
 |===
 
 A comma separated list of 
https://docs.oracle.com/javase/{java-target-version}/docs/api/java/net/URL.html[`URL`]
 protocols that may be used to load any kind of configuration source.

(logging-log4j2) branch 2.x updated: fix: Add `resource:` protocol to allowed URL schemes by default (#3795)

Reply via email to