Re: [PR] Extend scheme validation to inner schemes of jar: URLs [commons-configuration]

Tue, 12 May 2026 04:21:02 -0700 


ppkarwasz commented on code in PR #636:
URL: 
https://github.com/apache/commons-configuration/pull/636#discussion_r3225938844


##########
src/main/java/org/apache/commons/configuration2/io/AbstractFileLocationStrategy.java:
##########
@@ -204,6 +205,55 @@ public T get() {
      */
     private static final String KEY_SCHEMES = 
"org.apache.commons.configuration2.io.FileLocationStrategy.schemes";
 
+    private static void checkHost(String value, final Set<Pattern> validSet) {
+        final String lowerCase = StringUtils.toRootLowerCase(value);
+        if (!validSet.isEmpty() && StringUtils.isNotEmpty(lowerCase) && 
validSet.stream().noneMatch(p -> p.matcher(lowerCase).matches())) {
+            throw new ConfigurationDeniedException("URL host is not enabled: 
%s; must be one of %s", value, validSet);
+        }
+    }
+
+    /**
+     * Checks if the scheme is allowed.
+     *
+     * @param value A URL scheme, never empty or {@code null}.
+     * @param validSet the scheme allow-set.
+     */
+    private static void checkScheme(final String value, final Set<String> 
validSet) {
+        if (!validSet.isEmpty() && 
!validSet.contains(StringUtils.toRootLowerCase(value))) {
+            throw new ConfigurationDeniedException("URL scheme \"%s\" is not 
enabled, must be one of %s, override defaults with the system property \"%s\", "
+                    + "complete set: \"file,http,https,jar\"", value, 
validSet, KEY_SCHEMES);
+        }
+    }
+
+    /**
+     * Validates {@code url} against the scheme and host allow-lists.
+     *
+     * @param url           the URL to check.
+     * @param validSchemes  the scheme allow-set.
+     * @param validHosts    the host allow-set.
+     * @throws ConfigurationDeniedException if the URL or any embedded URL 
fails the check, or a {@code jar:} URL is malformed.
+     */
+    static void checkUrl(final URL url, final Set<String> validSchemes, final 
Set<Pattern> validHosts) {
+        String scheme = url.getProtocol();
+        checkScheme(scheme, validSchemes);
+        if ("jar".equalsIgnoreCase(scheme)) {
+            try {
+                // Follows the logic of JarURLConnection#parseSpecs without 
the cost of opening a connection.
+                final String spec = url.getFile();
+                final int sep = spec.lastIndexOf("!/");
+                if (sep < 0) {
+                    throw new MalformedURLException("no !/ found in url spec:" 
+ spec);

Review Comment:
   The message intentionally matches the one in `JarURLConnection`:
   
   
https://github.com/openjdk/jdk/blob/4edfc387f160dfeb8a67408b1bd98ea45f51d36c/src/java.base/share/classes/java/net/JarURLConnection.java#L167



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to