Fix SSRF bypass via relative path + remote base URI, harden WSDL locators

robertlazarski · claude · robertlazarski · commit 0afbb74417b0 · 2026-05-18T07:46:39.000-10:00
Gemini review found that the SSRF check on raw schemaLocation/importLocation
can be bypassed when a relative path resolves to a remote URL via the base
URI (e.g., relative "evil.xsd" + base "http://attacker/wsdl/" = remote fetch).

Fixes:
1. WSDLToAxisServiceBuilder restrictive resolver: resolve loc against base
   before checking scheme.
2. WarFileBasedURIResolver: resolve schemaLocation against baseUri before
   the absolute/remote check (AARFileBasedURIResolver already resolves first).
3. AARBasedWSDLLocator: block remote URLs in getImportInputSource() for
   &lt;wsdl:import&gt; targets (was only patched for &lt;xsd:import&gt;).
4. WarBasedWSDLLocator: same fix, check resolved URI not raw importLocation.
5. URIResolverTest: add relative-path-with-remote-base bypass test.

404 kernel tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/modules/kernel/src/org/apache/axis2/deployment/resolver/AARBasedWSDLLocator.java b/modules/kernel/src/org/apache/axis2/deployment/resolver/AARBasedWSDLLocator.java
@@ -70,8 +70,17 @@ public InputSource getBaseInputSource() {
      */
     public InputSource getImportInputSource(String parentLocation, String importLocation) {
         lastImportLocation = URI.create(parentLocation).resolve(importLocation);
-
-        if (isAbsolute(lastImportLocation.toString())) {
+        String loc = lastImportLocation.toString();
+
+        if (isAbsolute(loc)) {
+            // Block remote URLs to prevent SSRF in WSDL imports
+            if (loc.regionMatches(true, 0, "http:", 0, 5)
+                    || loc.regionMatches(true, 0, "https:", 0, 6)
+                    || loc.regionMatches(true, 0, "ftp:", 0, 4)
+                    || loc.regionMatches(true, 0, "jar:", 0, 4)) {
+                throw new RuntimeException(
+                        "Remote WSDL import blocked: " + loc);
+            }
             return super.resolveEntity(
                     null, importLocation, parentLocation);
         } else {
diff --git a/modules/kernel/src/org/apache/axis2/deployment/resolver/WarBasedWSDLLocator.java b/modules/kernel/src/org/apache/axis2/deployment/resolver/WarBasedWSDLLocator.java
@@ -57,13 +57,21 @@ public InputSource getBaseInputSource() {
      */
     public InputSource getImportInputSource(String parentLocation, String importLocation) {
         lastImportLocation = URI.create(parentLocation).resolve(importLocation);
+        String loc = lastImportLocation.toString();
 
-        if (isAbsolute(importLocation)) {
+        if (isAbsolute(loc)) {
+            // Block remote URLs to prevent SSRF in WSDL imports
+            if (loc.regionMatches(true, 0, "http:", 0, 5)
+                    || loc.regionMatches(true, 0, "https:", 0, 6)
+                    || loc.regionMatches(true, 0, "ftp:", 0, 4)
+                    || loc.regionMatches(true, 0, "jar:", 0, 4)) {
+                throw new RuntimeException(
+                        "Remote WSDL import blocked: " + loc);
+            }
             return super.resolveEntity(
                     null, importLocation, parentLocation);
         } else {
-            String searchingStr = lastImportLocation.toString();
-            return new InputSource(classLoader.getResourceAsStream(searchingStr));
+            return new InputSource(classLoader.getResourceAsStream(loc));
         }
     }
 
diff --git a/modules/kernel/src/org/apache/axis2/deployment/resolver/WarFileBasedURIResolver.java b/modules/kernel/src/org/apache/axis2/deployment/resolver/WarFileBasedURIResolver.java
@@ -41,15 +41,25 @@ public InputSource resolveEntity(
             String targetNamespace,
             String schemaLocation,
             String baseUri) {
-        //no issue with
-        if (isAbsolute(schemaLocation)) {
-            // Block remote URLs to prevent SSRF. Only allow resolution
-            // of absolute URIs that are local file paths.
-            if (schemaLocation.regionMatches(true, 0, "http:", 0, 5)
-                    || schemaLocation.regionMatches(true, 0, "https:", 0, 6)
-                    || schemaLocation.regionMatches(true, 0, "ftp:", 0, 4)
-                    || schemaLocation.regionMatches(true, 0, "jar:", 0, 4)) {
-                log.warn("Blocked remote schema resolution in WAR deployment: " + schemaLocation);
+        // Resolve against base URI first to catch relative + remote base bypass
+        URI resolvedURI;
+        try {
+            resolvedURI = (baseUri != null)
+                    ? URI.create(baseUri).resolve(schemaLocation)
+                    : URI.create(schemaLocation);
+        } catch (IllegalArgumentException e) {
+            log.warn("Invalid URI syntax for schema location: " + schemaLocation);
+            return new InputSource(new java.io.ByteArrayInputStream(new byte[0]));
+        }
+        String resolved = resolvedURI.toString();
+
+        if (isAbsolute(resolved)) {
+            // Block remote URLs to prevent SSRF
+            if (resolved.regionMatches(true, 0, "http:", 0, 5)
+                    || resolved.regionMatches(true, 0, "https:", 0, 6)
+                    || resolved.regionMatches(true, 0, "ftp:", 0, 4)
+                    || resolved.regionMatches(true, 0, "jar:", 0, 4)) {
+                log.warn("Blocked remote schema resolution in WAR deployment: " + resolved);
                 return new InputSource(new java.io.ByteArrayInputStream(new byte[0]));
             }
             return super.resolveEntity(
@@ -60,10 +70,7 @@ public InputSource resolveEntity(
                 throw new RuntimeException(
                         "Unsupported schema location " + schemaLocation);
             }
-
-            URI lastImportLocation = URI.create(baseUri).resolve(schemaLocation);
-            String searchingStr = lastImportLocation.toString();
-            return new InputSource(classLoader.getResourceAsStream(searchingStr));
+            return new InputSource(classLoader.getResourceAsStream(resolved));
         }
     }
 }
diff --git a/modules/kernel/src/org/apache/axis2/description/WSDLToAxisServiceBuilder.java b/modules/kernel/src/org/apache/axis2/description/WSDLToAxisServiceBuilder.java
@@ -154,13 +154,22 @@ protected XmlSchema getXMLSchema(Element element, String baseUri) {
                             delegate = new org.apache.ws.commons.schema.resolver.DefaultURIResolver();
                     public org.xml.sax.InputSource resolveEntity(
                             String ns, String loc, String base) {
-                        if (loc != null
-                                && (loc.regionMatches(true, 0, "http:", 0, 5)
-                                 || loc.regionMatches(true, 0, "https:", 0, 6)
-                                 || loc.regionMatches(true, 0, "ftp:", 0, 4)
-                                 || loc.regionMatches(true, 0, "jar:", 0, 4))) {
+                        // Resolve against base URI before checking —
+                        // a relative loc with a remote base must be caught
+                        String resolved = loc;
+                        if (base != null && loc != null) {
+                            try {
+                                resolved = java.net.URI.create(base).resolve(loc).toString();
+                            } catch (IllegalArgumentException ignored) {
+                            }
+                        }
+                        if (resolved != null
+                                && (resolved.regionMatches(true, 0, "http:", 0, 5)
+                                 || resolved.regionMatches(true, 0, "https:", 0, 6)
+                                 || resolved.regionMatches(true, 0, "ftp:", 0, 4)
+                                 || resolved.regionMatches(true, 0, "jar:", 0, 4))) {
                             throw new RuntimeException(
-                                    "Remote schemaLocation blocked: " + loc
+                                    "Remote schemaLocation blocked: " + resolved
                                     + " (use setCustomResolver to opt in)");
                         }
                         return delegate.resolveEntity(ns, loc, base);
diff --git a/modules/kernel/test/org/apache/axis2/deployment/URIResolverTest.java b/modules/kernel/test/org/apache/axis2/deployment/URIResolverTest.java
@@ -62,4 +62,20 @@ public void testHttpsUrlBlocked() {
         assertNull("AAR resolver must block remote https URLs (SSRF)",
                 inputSource.getSystemId());
     }
+
+    /**
+     * Verify that a relative schemaLocation with a remote baseUri is
+     * blocked — prevents the bypass where a relative path resolves to
+     * a remote URL via the base URI.
+     */
+    public void testRelativePathWithRemoteBaseBlocked() {
+        WarFileBasedURIResolver war = new WarFileBasedURIResolver(null);
+        InputSource inputSource = war.resolveEntity(null,
+                "evil.xsd",
+                "http://attacker.example.com/wsdl/");
+        assertNotNull(inputSource);
+        // Resolved URI is http://attacker.example.com/wsdl/evil.xsd — must be blocked
+        assertNull("WAR resolver must block relative path resolving to remote URL",
+                inputSource.getSystemId());
+    }
 }
