This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch 2.25.x in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 76090f86ba7e46b4efa3e7bf795f11afe53de7c9 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Fri Jul 4 20:33:11 2025 +0200 fix: Add `resource:` protocol to allowed URL schemes by default (#3795) * fix: Add `resource:` protocol to allowed URL schemes by default This update includes `resource:` in the list of allowed URL schemes for retrieving configuration files. See [`log4j2.configurationAllowedProtocols`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.configurationAllowedProtocols) Currently, the `resource:` protocol is used exclusively by a `URLStreamHandler` that retrieves files from the embedded resources in a GraalVM native image. This makes it a secure and appropriate source for trusted configuration files. This change cannot be easily and reliably tested through a unit test. An integration test will be provided in apache/logging-log4j-samples#345 Closes #3790 * fix: Add `resource` protocol only in native images This change introduces an internal `SystemUtils.isGraalVm()` method to detect the presence of GraalVM and enable the `resource` protocol. * Reword changelog entry --------- Co-authored-by: Volkan Yazıcı <[email protected]> --- .../logging/log4j/core/net/UrlConnectionFactory.java | 20 +++++++++++++++++++- .../log4j/core/util/internal/SystemUtils.java | 16 ++++++++++++++++ .../.2.x.x/3790_allow-resource-protocol.xml | 12 ++++++++++++ .../properties-transport-security.adoc | 14 +++++++++++--- 4 files changed, 58 insertions(+), 4 deletions(-) diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java index e6ba2a1366..e98d3d9a9d 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java @@ -33,6 +33,7 @@ import org.apache.logging.log4j.core.net.ssl.LaxHostnameVerifier; import org.apache.logging.log4j.core.net.ssl.SslConfiguration; import org.apache.logging.log4j.core.net.ssl.SslConfigurationFactory; import org.apache.logging.log4j.core.util.AuthorizationProvider; +import org.apache.logging.log4j.core.util.internal.SystemUtils; import org.apache.logging.log4j.util.PropertiesUtil; import org.apache.logging.log4j.util.Strings; @@ -51,7 +52,24 @@ public class UrlConnectionFactory { private static final String HTTP = "http"; private static final String HTTPS = "https"; private static final String JAR = "jar"; - private static final String DEFAULT_ALLOWED_PROTOCOLS = "https, file, jar"; + /** + * Default list of protocols that are allowed to be used for configuration files and other trusted resources. + * <p> + * By default, we trust the following protocols: + * <dl> + * <dt>file</dt> + * <dd>Local files</dd> + * <dt>https</dt> + * <dd>Resources retrieved through TLS to guarantee their integrity</dd> + * <dt>jar</dt> + * <dd>Resources retrieved from JAR files</dd> + * <dt>resource</dt> + * <dd>Resources embedded in a GraalVM native image</dd> + * </dl> + */ + private static final String DEFAULT_ALLOWED_PROTOCOLS = + SystemUtils.isGraalVm() ? "file, https, jar, resource" : "file, https, jar"; + private static final String NO_PROTOCOLS = "_none"; public static final String ALLOWED_PROTOCOLS = "log4j2.Configuration.allowedProtocols"; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/internal/SystemUtils.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/internal/SystemUtils.java index b7b3d9cbb4..23d60ce688 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/internal/SystemUtils.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/internal/SystemUtils.java @@ -36,5 +36,21 @@ public final class SystemUtils { return getJavaVendor().contains("Android"); } + /** + * Checks if the current runtime is GraalVM. + * <p> + * See <a href="https://www.graalvm.org/sdk/javadoc/org/graalvm/nativeimage/ImageInfo.html#PROPERTY_IMAGE_CODE_KEY";>ImageInfo.PROPERTY_IMAGE_CODE_KEY</a>. + * </p> + * @return true if the current runtime is GraalVM, false otherwise. + */ + public static boolean isGraalVm() { + try { + return System.getProperty("org.graalvm.nativeimage.imagecode") != null; + } catch (final SecurityException e) { + LOGGER.debug("Unable to determine if the current runtime is GraalVM.", e); + return false; + } + } + private SystemUtils() {} } diff --git a/src/changelog/.2.x.x/3790_allow-resource-protocol.xml b/src/changelog/.2.x.x/3790_allow-resource-protocol.xml new file mode 100644 index 0000000000..ffa3c80e30 --- /dev/null +++ b/src/changelog/.2.x.x/3790_allow-resource-protocol.xml @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<entry xmlns="https://logging.apache.org/xml/ns"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation=" + https://logging.apache.org/xml/ns + https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"; + type="fixed"> + <issue id="3790" link="https://github.com/apache/logging-log4j2/issues/3790"/> + <description format="asciidoc"> + Allow `resource:` protocol for configuration files by default, if the current runtime is GraalVM. + </description> +</entry> diff --git a/src/site/antora/modules/ROOT/partials/manual/systemproperties/properties-transport-security.adoc b/src/site/antora/modules/ROOT/partials/manual/systemproperties/properties-transport-security.adoc index 445c9ec541..3c662698c9 100644 --- a/src/site/antora/modules/ROOT/partials/manual/systemproperties/properties-transport-security.adoc +++ b/src/site/antora/modules/ROOT/partials/manual/systemproperties/properties-transport-security.adoc @@ -21,9 +21,17 @@ [cols="1h,5"] |=== -| Env. variable | `LOG4J_CONFIGURATION_ALLOWED_PROTOCOLS` -| Type | Comma-separated list of https://docs.oracle.com/javase/{java-target-version}/docs/api/java/net/URL.html[`URL`] protocols -| Default value | `file, https, jar` +| Env. variable +| `LOG4J_CONFIGURATION_ALLOWED_PROTOCOLS` + +| Type +| Comma-separated list of https://docs.oracle.com/javase/{java-target-version}/docs/api/java/net/URL.html[`URL`] protocols + +| Default value +| +`file, https, jar` (JVM) + +`file, https, jar, resource` (GraalVM) |=== A comma separated list of https://docs.oracle.com/javase/{java-target-version}/docs/api/java/net/URL.html[`URL`] protocols that may be used to load any kind of configuration source.
