Harden schema import resolution against SSRF (CWE-918)

robertlazarski · claude · robertlazarski · commit 7ac84d8339ad · 2026-05-18T07:38:22.000-10:00
Companion fix to the XXE hardening. xmlschema-core's DefaultURIResolver
follows absolute schemaLocation URLs with no scheme or host restriction,
enabling blind SSRF from the Axis2 JVM. Three vectors addressed:

1. WSDLToAxisServiceBuilder.getXMLSchema(): when no custom resolver is
   set, install a restrictive URIResolver that blocks http/https/ftp/jar/
   file schemes on schemaLocation targets. Callers who need remote
   resolution can supply their own resolver via setCustomResolver().

2. AARFileBasedURIResolver: block remote URLs when falling through to
   super.resolveEntity() for absolute URIs. Return empty InputSource
   instead of fetching.

3. WarFileBasedURIResolver: same fix as AAR resolver.

Updated URIResolverTest to verify remote URLs are blocked (was
previously asserting they were fetched — that was the SSRF).

403 kernel tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/modules/kernel/src/org/apache/axis2/deployment/resolver/AARFileBasedURIResolver.java b/modules/kernel/src/org/apache/axis2/deployment/resolver/AARFileBasedURIResolver.java
@@ -58,6 +58,16 @@ public InputSource resolveEntity(
 
          lastImportLocation = URI.create(baseUri).resolve(schemaLocation);
         if (isAbsolute(lastImportLocation.toString())) {
+            // Block remote URLs to prevent SSRF. Only allow resolution
+            // of absolute URIs that are local file paths.
+            String loc = lastImportLocation.toString();
+            if (loc.regionMatches(true, 0, "http:", 0, 5)
+                    || loc.regionMatches(true, 0, "https:", 0, 6)
+                    || loc.regionMatches(true, 0, "ftp:", 0, 4)
+                    || loc.regionMatches(true, 0, "jar:", 0, 4)) {
+                log.warn("Blocked remote schema resolution in AAR deployment: " + loc);
+                return new InputSource(new java.io.ByteArrayInputStream(new byte[0]));
+            }
             return super.resolveEntity(
                     targetNamespace, schemaLocation, baseUri);
         } else {
diff --git a/modules/kernel/src/org/apache/axis2/deployment/resolver/WarFileBasedURIResolver.java b/modules/kernel/src/org/apache/axis2/deployment/resolver/WarFileBasedURIResolver.java
@@ -43,6 +43,15 @@ public InputSource resolveEntity(
             String baseUri) {
         //no issue with
         if (isAbsolute(schemaLocation)) {
+            // Block remote URLs to prevent SSRF. Only allow resolution
+            // of absolute URIs that are local file paths.
+            if (schemaLocation.regionMatches(true, 0, "http:", 0, 5)
+                    || schemaLocation.regionMatches(true, 0, "https:", 0, 6)
+                    || schemaLocation.regionMatches(true, 0, "ftp:", 0, 4)
+                    || schemaLocation.regionMatches(true, 0, "jar:", 0, 4)) {
+                log.warn("Blocked remote schema resolution in WAR deployment: " + schemaLocation);
+                return new InputSource(new java.io.ByteArrayInputStream(new byte[0]));
+            }
             return super.resolveEntity(
                     targetNamespace, schemaLocation, baseUri);
         } else {
diff --git a/modules/kernel/src/org/apache/axis2/description/WSDLToAxisServiceBuilder.java b/modules/kernel/src/org/apache/axis2/description/WSDLToAxisServiceBuilder.java
@@ -141,6 +141,31 @@ protected XmlSchema getXMLSchema(Element element, String baseUri) {
 
         if (customResolver != null) {
             schemaCollection.setSchemaResolver(customResolver);
+        } else {
+            // Install a restrictive resolver that blocks remote schema
+            // resolution (SSRF via absolute schemaLocation URLs). The
+            // default URIResolver in xmlschema-core follows any absolute
+            // URI including http://, https://, ftp://, and jar://.
+            // Local file:// and relative paths are allowed for co-packaged
+            // schemas in .aar/.war deployments.
+            schemaCollection.setSchemaResolver(
+                new org.apache.ws.commons.schema.resolver.URIResolver() {
+                    private final org.apache.ws.commons.schema.resolver.DefaultURIResolver
+                            delegate = new org.apache.ws.commons.schema.resolver.DefaultURIResolver();
+                    public org.xml.sax.InputSource resolveEntity(
+                            String ns, String loc, String base) {
+                        if (loc != null
+                                && (loc.regionMatches(true, 0, "http:", 0, 5)
+                                 || loc.regionMatches(true, 0, "https:", 0, 6)
+                                 || loc.regionMatches(true, 0, "ftp:", 0, 4)
+                                 || loc.regionMatches(true, 0, "jar:", 0, 4))) {
+                            throw new RuntimeException(
+                                    "Remote schemaLocation blocked: " + loc
+                                    + " (use setCustomResolver to opt in)");
+                        }
+                        return delegate.resolveEntity(ns, loc, base);
+                    }
+                });
         }
 
         return schemaCollection.read(element);
diff --git a/modules/kernel/test/org/apache/axis2/deployment/URIResolverTest.java b/modules/kernel/test/org/apache/axis2/deployment/URIResolverTest.java
@@ -27,17 +27,39 @@
 
 public class URIResolverTest extends TestCase {
 
-    public void testResolveEntity() {
+    /**
+     * Verify that remote http/https URLs are blocked by the SSRF
+     * hardening in AAR and WAR resolvers. The resolvers should return
+     * an empty InputSource instead of fetching the remote URL.
+     */
+    public void testRemoteUrlBlocked() {
         AARFileBasedURIResolver aar = new AARFileBasedURIResolver(null);
-        WarFileBasedURIResolver war = new WarFileBasedURIResolver(null);
         InputSource inputSource = aar.resolveEntity(null,
                 "http://www.test.org/test.xsd",
                 "http://www.test.org/schema.xsd");
         assertNotNull(inputSource);
-        assertEquals(inputSource.getSystemId(), "http://www.test.org/test.xsd");
+        // Should return empty InputSource, not one with the remote URL
+        assertNull("AAR resolver must block remote http URLs (SSRF)",
+                inputSource.getSystemId());
+
+        WarFileBasedURIResolver war = new WarFileBasedURIResolver(null);
         inputSource = war.resolveEntity(null, "http://www.test.org/test.xsd",
                 "http://www.test.org/schema.xsd");
         assertNotNull(inputSource);
-        assertEquals(inputSource.getSystemId(), "http://www.test.org/test.xsd");
+        assertNull("WAR resolver must block remote http URLs (SSRF)",
+                inputSource.getSystemId());
+    }
+
+    /**
+     * Verify that https URLs are also blocked.
+     */
+    public void testHttpsUrlBlocked() {
+        AARFileBasedURIResolver aar = new AARFileBasedURIResolver(null);
+        InputSource inputSource = aar.resolveEntity(null,
+                "https://www.test.org/test.xsd",
+                "https://www.test.org/schema.xsd");
+        assertNotNull(inputSource);
+        assertNull("AAR resolver must block remote https URLs (SSRF)",
+                inputSource.getSystemId());
     }
 }
