Skip to content

Enforce scheme checks for decoupled destinations#3266

Open
coheigea wants to merge 1 commit into
mainfrom
coheigea/decoupled-destinations-protocol-check
Open

Enforce scheme checks for decoupled destinations#3266
coheigea wants to merge 1 commit into
mainfrom
coheigea/decoupled-destinations-protocol-check

Conversation

@coheigea

Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces an allowlist-based scheme check for WS-Addressing / WS-RM decoupled destinations (wsa:ReplyTo / wsa:FaultTo) to prevent CXF from opening outbound connections to attacker-controlled URIs, with an optional system-property override for operators.

Changes:

  • Add ContextUtils.isDecoupledDestinationAllowed(String) plus default allowed scheme prefixes and a system-property override.
  • Enforce the allowlist in decoupled backchannel creation paths (WS-Addressing impl, WS-RM internal context).
  • Add protocol-level tests in both WS-Addressing and WS-RM modules to validate allowed/blocked schemes and override behavior.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
core/src/main/java/org/apache/cxf/ws/addressing/ContextUtils.java Adds scheme allowlist + system-property override and applies it to ContextUtils.createDecoupledDestination() via a dedicated DecoupledDestination implementation.
rt/ws/addr/src/main/java/org/apache/cxf/ws/addressing/impl/InternalContextUtils.java Enforces the scheme allowlist for decoupled backchannels and logs a warning when rejecting a disallowed destination.
rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/InternalContextUtils.java Enforces the scheme allowlist for WS-RM decoupled destinations and adjusts helper visibility for testing.
rt/ws/addr/src/test/java/org/apache/cxf/ws/addressing/impl/DecoupledDestinationProtocolTest.java Adds unit/protocol tests covering default allow/deny, override semantics, and ContextUtils decoupled-destination behavior.
rt/ws/rm/src/test/java/org/apache/cxf/ws/rm/DecoupledDestinationProtocolTest.java Adds WS-RM focused protocol tests validating scheme enforcement and override behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread core/src/main/java/org/apache/cxf/ws/addressing/ContextUtils.java
@coheigea coheigea force-pushed the coheigea/decoupled-destinations-protocol-check branch from 825d297 to b142845 Compare June 30, 2026 16:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants