still support simple named resources when protocol restrictions are p…

…resent
pixee · Jun 25, 2024 · 1eb98ad · 1eb98ad
1 parent 8aea291
commit 1eb98ad
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/src/main/java/io/github/pixee/security/JNDI.java b/src/main/java/io/github/pixee/security/JNDI.java
@@ -58,10 +58,14 @@ private ProtocolLimitedContext(final Context context, final Set<UrlProtocol> all
         public Object lookup(final String resource) throws NamingException {
             Set<String> allowedProtocolPrefixes = allowedProtocols.stream().map(UrlProtocol::getKey).map(p -> p + ":").collect(Collectors.toSet());
             String canonicalResource = resource.toLowerCase().trim();
-            if (allowedProtocolPrefixes.stream().anyMatch(canonicalResource::startsWith)) {
-                return context.lookup(resource);
+            if(canonicalResource.contains(":")) {
+                if (allowedProtocolPrefixes.stream().anyMatch(canonicalResource::startsWith)) {
+                    return context.lookup(resource);
+                } else {
+                    throw new SecurityException("Unexpected JNDI resource protocol: " + resource);
+                }
             }
-            throw new SecurityException("Unexpected JNDI resource protocol: " + resource);
+            return context.lookup(resource);
         }
     }
 

diff --git a/src/test/java/io/github/pixee/security/JNDITest.java b/src/test/java/io/github/pixee/security/JNDITest.java
@@ -40,6 +40,9 @@ void it_limits_resources_by_name() throws NamingException {
     void it_limits_resources_by_protocol() throws NamingException {
         JNDI.LimitedContext onlyJavaContext = JNDI.limitedContextByProtocol(context, J8ApiBridge.setOf(UrlProtocol.JAVA));
         assertThat(onlyJavaContext.lookup("java:comp/env"), is(JAVA_OBJECT));
+
+        // confirm protocols protections dont restrict simple name lookups
+        assertThat(onlyJavaContext.lookup("simple_name"), is(NAMED_OBJECT));
         assertThrows(SecurityException.class, () -> onlyJavaContext.lookup("ldap://localhost:1389/ou=system"));
         assertThrows(SecurityException.class, () -> onlyJavaContext.lookup("rmi://localhost:1099/evil"));
 
@@ -58,6 +61,9 @@ void it_limits_resources_by_protocol() throws NamingException {
     void default_limits_rmi_and_ldap() throws NamingException {
         JNDI.LimitedContext defaultLimitedContext = JNDI.limitedContext(context);
         assertThat(defaultLimitedContext.lookup("java:comp/env"), is(JAVA_OBJECT));
+
+        // confirm simple name lookups still work
+        assertThat(defaultLimitedContext.lookup("simple_name"), is(NAMED_OBJECT));
         assertThrows(SecurityException.class, () -> defaultLimitedContext.lookup("rmi://localhost:1099/evil"));
         assertThrows(SecurityException.class, () -> defaultLimitedContext.lookup("ldap://localhost:1389/ou=system"));
     }