Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict protocols that can be used when creating a project from a URL #4918

Closed
wetneb opened this issue Jun 3, 2022 · 0 comments · Fixed by #4919
Closed

Restrict protocols that can be used when creating a project from a URL #4918

wetneb opened this issue Jun 3, 2022 · 0 comments · Fixed by #4919
Labels
fetch urls About fetching URLs in a project import About importers in general - add a label for the data format if available vulnerability Security vulnerability which needs fixing

Comments

@wetneb
Copy link
Sponsor Member

wetneb commented Jun 3, 2022

We use Java's URLConnection to download the content of a file when creating a project from a URL.
This class supports various protocols, some of which can cause the software to execute user-supplied code when fetching the resource. This is potentially a vulnerability in situations where OpenRefine is hosted (which we do not officially support).

We should therefore restrict the set of protocols that can be used in this feature, for instance to http, https, ftp and sftp.
@wetneb wetneb added import About importers in general - add a label for the data format if available fetch urls About fetching URLs in a project vulnerability Security vulnerability which needs fixing labels Jun 3, 2022
wetneb added a commit that referenced this issue Jun 3, 2022
@wetneb
Restrict protocols available at project creation. Closes #4918.
c012134
@wetneb wetneb mentioned this issue Jun 3, 2022
Merged
wetneb added a commit that referenced this issue Jun 6, 2022
@wetneb
Restrict protocols available at project creation. Closes #4918. (#4919)
8cb2fec
antoine2711 pushed a commit that referenced this issue Jun 21, 2022
@wetneb @antoine2711
Restrict protocols available at project creation. Closes #4918. (#4919)
2368a5e
antoine2711 pushed a commit that referenced this issue Jun 21, 2022
@wetneb @antoine2711
Restrict protocols available at project creation. Closes #4918. (#4919)
7a8d92b
antoine2711 pushed a commit that referenced this issue Jun 21, 2022
@wetneb @antoine2711
Restrict protocols available at project creation. Closes #4918. (#4919)
b74fd3a
antoine2711 pushed a commit that referenced this issue Jun 21, 2022
@wetneb @antoine2711
Restrict protocols available at project creation. Closes #4918. (#4919)
276f519
antoine2711 pushed a commit that referenced this issue Jun 21, 2022
@wetneb @antoine2711
Restrict protocols available at project creation. Closes #4918. (#4919)
cc5e63a
antoine2711 pushed a commit that referenced this issue Jun 21, 2022
@wetneb @antoine2711
Restrict protocols available at project creation. Closes #4918. (#4919)
392d04a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fetch urls About fetching URLs in a project import About importers in general - add a label for the data format if available vulnerability Security vulnerability which needs fixing
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Restrict protocols available at project creation OpenRefine/OpenRefine
1 participant
@wetneb