(ws-neethi) branch master updated: Forbidding references to link-local addresses

Tue, 21 Apr 2026 05:20:44 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ws-neethi.git


The following commit(s) were added to refs/heads/master by this push:
     new 196862e  Forbidding references to link-local addresses
196862e is described below

commit 196862e97da09de193e5c663b6246a1cc476ce41
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Tue Apr 21 13:20:19 2026 +0100

    Forbidding references to link-local addresses
---
 src/main/java/org/apache/neethi/PolicyReference.java | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/main/java/org/apache/neethi/PolicyReference.java 
b/src/main/java/org/apache/neethi/PolicyReference.java
index 13a7fd3..8477f50 100644
--- a/src/main/java/org/apache/neethi/PolicyReference.java
+++ b/src/main/java/org/apache/neethi/PolicyReference.java
@@ -21,9 +21,11 @@ package org.apache.neethi;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.InetAddress;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
+import java.net.UnknownHostException;
 
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamWriter;
@@ -148,6 +150,22 @@ public class PolicyReference implements PolicyComponent {
             throw new RuntimeException("Unsupported URI scheme: only http and 
https are permitted.");
         }
 
+        // Resolve the host to an IP and reject addresses that can never serve 
a policy document:
+        //   - link-local  (169.254.x.x / fe80::/10) — cloud IMDS, 
auto-configuration
+        //   - multicast   (224.0.0.0/4 / ff00::/8)  — no HTTP server listens 
at a multicast address
+        //   - any-local   (0.0.0.0 / ::)             — unspecified/wildcard, 
not a valid destination
+        // Loopback (127.x.x.x / ::1) and site-local (RFC-1918) addresses are 
permitted
+        // so that policies on localhost or an internal network can be 
resolved.
+        try {
+            InetAddress addr = InetAddress.getByName(url.getHost());
+            if (addr.isLinkLocalAddress() || addr.isMulticastAddress() || 
addr.isAnyLocalAddress()) {
+                throw new RuntimeException(
+                    "PolicyReference URI resolves to a forbidden address 
(link-local, multicast, or wildcard).");
+            }
+        } catch (UnknownHostException e) {
+            throw new RuntimeException("PolicyReference URI host could not be 
resolved.");
+        }
+
         try {
             URLConnection connection = url.openConnection();
             connection.setDoInput(true);

Reply via email to