Skip to content

Add secure property and XML retrieval endpoints to ApiResource#465

Closed
apeiris wants to merge 1 commit into
OpenAS2:masterfrom
apeiris:master
Closed

Add secure property and XML retrieval endpoints to ApiResource#465
apeiris wants to merge 1 commit into
OpenAS2:masterfrom
apeiris:master

Conversation

@apeiris

@apeiris apeiris commented Aug 25, 2025

Copy link
Copy Markdown
Contributor

Title:
Add secure property and XML retrieval endpoints to ApiResource

Description:
This pull request introduces two new administrative endpoints in ApiResource and enforces security measures to prevent sensitive information exposure:

Changes:

  • /getPropertyList endpoint:

    • Returns application properties as JSON.
    • Accessible only to ADMIN role.
    • Requests from non-localhost clients must use HTTPS; otherwise, a 403 FORBIDDEN is returned.

  • /getXml endpoint:

    • Returns XML content filtered via an XPath expression.
    • Accessible only to ADMIN role.
    • Requests from non-localhost clients must use HTTPS; otherwise, a 403 FORBIDDEN is returned.
    • Includes XXE protection to prevent external entity injection attacks.

  • Security enhancements:

    • isLocalhost(Request) helper allows local testing while enforcing HTTPS for remote clients.
    • Requests over HTTP from remote machines are blocked, ensuring sensitive information is never exposed insecurely.

  • Other updates:

    • Updated imports, removed unused imports, and cleaned up code formatting.
    • Logging added for exceptions during XML parsing and property retrieval.

Notes:

  • These endpoints are intended for administrative/debugging purposes and should be accessed only from trusted environments.
  • Any sensitive values are protected by HTTPS enforcement; local development remains possible without TLS.

If you want, I can also draft a shorter, GitHub-friendly one-paragraph version suitable for casual PR reviews. Do you want me to do that?

@apeiris
Add secure property and XML retrieval endpoints to ApiResource
b04b684 
- Introduced /getPropertyList endpoint returning application properties as JSON.
- Introduced /getXml endpoint returning XML content filtered via XPath.
- Added HTTPS enforcement for non-localhost requests to prevent exposure of sensitive information.
- Implemented isLocalhost(Request) helper for local testing exceptions.
- Added XML parsing with XXE protection.
- Updated imports and cleaned up unused imports.
github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 25, 2025
View reviewed changes
Comment thread Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java

Session session = getProcessor().getSession();
String filePath = session.getBaseDirectory() + "/" + filename;
try {

Check failure

Code scanning / CodeQL

XPath injection Critical

XPath expression depends on a
user-provided value
Loading
.
@apeiris apeiris closed this Aug 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@apeiris @github-advanced-security