Skip to content

False positive - Java - Server-side request forgery - When type converted to File #16949

Open
@JLLeitschuh

Description

@JLLeitschuh

Description of the false positive

If a URI or URL is created from a File it isn't a valid source of SSRF. This is because, AFAIK, opening a stream from a file will never create a socket request.

new File("untrusted-user-input.txt").toURI().toURL().openStream()

Code samples or links to source code

https://github.com/keycloak/keycloak/blob/0bfadacffd1112e6fa6fdce5b6662b08aeb15d79/services/src/main/java/org/keycloak/theme/FolderTheme.java#L101-L101

URL to the alert on GitHub code scanning (optional)

https://github.com/Chainguard-Wolfi-Bites-Back/keycloak__keycloak/security/code-scanning/18

Reasonable Fix

It should be simple to add any type conversion to a File as a simple sanitizer.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions