Forbid LDAP/RMI from JndiHelper (#2414)

coheigea · coheigea · commit 4f717df024c7 · 2025-05-20T15:57:53.000+01:00
(cherry picked from commit 24e50ff)
diff --git a/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java b/rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java
@@ -34,6 +34,13 @@ public class JndiHelper {
      */
     public JndiHelper(Properties environment) {
         this.environment = environment;
+
+        // Avoid unsafe protocols if they are somehow misconfigured
+        String providerUrl = environment.getProperty(Context.PROVIDER_URL);
+        if (providerUrl != null && (providerUrl.startsWith("ldap://")
+                || providerUrl.startsWith("rmi://"))) {
+            throw new IllegalArgumentException("Unsafe protocol in JNDI URL: " + providerUrl);
+        }
     }
 
     @SuppressWarnings("unchecked")
diff --git a/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java b/rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java
@@ -19,6 +19,9 @@
 
 package org.apache.cxf.transport.jms;
 
+import java.util.Properties;
+
+import javax.naming.Context;
 import javax.naming.NamingException;
 import javax.transaction.xa.XAException;
 
@@ -35,6 +38,26 @@
 
 public class JMSConfigFactoryTest extends AbstractJMSTester {
 
+    @Test
+    public void testJndiForbiddenProtocol() throws Exception {
+        Properties env = new Properties();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:12345");
+        // Allow following referrals (important for LDAP injection)
+        env.put(Context.REFERRAL, "follow");
+        
+        JMSConfiguration jmsConfig = new JMSConfiguration();
+        jmsConfig.setJndiEnvironment(env);
+        jmsConfig.setConnectionFactoryName("objectName");
+        
+        try {
+            jmsConfig.getConnectionFactory();
+            Assert.fail("JNDI lookup should have failed");
+        } catch (Exception e) {
+            Assert.assertTrue(e.getMessage().contains("Unsafe protocol in JNDI URL"));
+        }
+    }
+
     @Test
     public void testUsernameAndPassword() throws Exception {
         EndpointInfo ei = setupServiceInfo("HelloWorldService", "HelloWorldPort");
