Skip to content

Harden SSRF, XXE, and JWT verification (pen-test remediation)#320

Merged
namedgraph merged 2 commits into
developfrom
security-hardening
Jul 13, 2026
Merged

Harden SSRF, XXE, and JWT verification (pen-test remediation)#320
namedgraph merged 2 commits into
developfrom
security-hardening

Conversation

@namedgraph

Copy link
Copy Markdown
Member
  • URLValidator: block loopback (127.0.0.0/8, ::1) and wildcard (0.0.0.0, ::) addresses in addition to link-local/private, and check every resolved address to narrow the DNS-rebinding window (LNK-003/LNK-009). ALLOW_INTERNAL_URLS remains the development escape hatch. Extend URLValidatorTest.
  • SecureXML: hardened parser factories. XSLTMasterUpdater parses with DTDs and external entities disabled; ldh:send-request (SendHTTPRequest) parses external responses with secure processing (entity-expansion capped) and external entities disabled (LNK-005 residual).
  • Upgrade java-jwt 3.19.4 -> 4.5.2 on the OAuth2/OIDC verification path; adapt the one breaking call (IDTokenFilterBase TokenExpiredException now takes an Instant); add JWKS-based JWTVerifier tests.
  • Document the pinned-truststore invariant behind the disabled hostname verifier on internal HTTP clients.

namedgraph and others added 2 commits July 11, 2026 16:49
- URLValidator: block loopback (127.0.0.0/8, ::1) and wildcard (0.0.0.0, ::)
  addresses in addition to link-local/private, and check every resolved address
  to narrow the DNS-rebinding window (LNK-003/LNK-009). ALLOW_INTERNAL_URLS
  remains the development escape hatch. Extend URLValidatorTest.
- SecureXML: hardened parser factories. XSLTMasterUpdater parses with DTDs and
  external entities disabled; ldh:send-request (SendHTTPRequest) parses external
  responses with secure processing (entity-expansion capped) and external
  entities disabled (LNK-005 residual).
- Upgrade java-jwt 3.19.4 -> 4.5.2 on the OAuth2/OIDC verification path; adapt
  the one breaking call (IDTokenFilterBase TokenExpiredException now takes an
  Instant); add JWKS-based JWTVerifier tests.
- Document the pinned-truststore invariant behind the disabled hostname verifier
  on internal HTTP clients.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The loopback block broke the HTTP test suite: it runs entirely on
https://localhost:4443/, so every client-cert WebID is a localhost URI that
WebIDFilter validates on each authenticated request. Blocking loopback turned
those into InternalURLException -> 400 on every authenticated call.

LDH dereferences its own documents/WebIDs on the same origin (loopback in
local/test deployments), and the actual pen-test target (fuseki-admin:3030) is
site-local and already blocked, so loopback blocking added little and fought the
architecture. Keep the wildcard/any-local block and the all-addresses
DNS-rebinding check; leave loopback reachable.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@namedgraph namedgraph changed the base branch from master to develop July 12, 2026 06:29
@namedgraph namedgraph merged commit b5bd857 into develop Jul 13, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant