Skip to content

Harden CIMD URI trust validation (SSRF) and fix case-insensitive domain matching#1478

Closed
Copilot wants to merge 3 commits intoISSUE-45284from
copilot/review-issue-45284-again
Closed

Harden CIMD URI trust validation (SSRF) and fix case-insensitive domain matching#1478
Copilot wants to merge 3 commits intoISSUE-45284from
copilot/review-issue-45284-again

Conversation

Copy link

Copilot AI commented Feb 28, 2026
edited
Loading

Description

This PR tightens ISSUE-45284 CIMD validation in two dimensions: it fixes non-security correctness bugs in trusted-domain matching and restores SSRF-relevant host validation for metadata URIs. It also reviews session swap/hijack risk in the touched flow and keeps existing auth-session behavior unchanged.

  • Non-security correctness fixes

    • Trusted-domain checks are now case-insensitive (hostname + configured domain normalized with Locale.ROOT).
    • verifyUri(...) now handles null URI strings explicitly and returns malformed-URL validation errors consistently.

  • Security hardening (SSRF)

    • CIMD URI validation now resolves hostnames and rejects internal/private targets (anyLocal, loopback, siteLocal, linkLocal) when strict scheme policy is in effect.
    • Host resolution failures are mapped to ERR_HOST_UNRESOLVED early, preventing ambiguous acceptance paths.

  • Session swapping / hijacking review

    • Reviewed the CIMD request/metadata validation path for session-binding weaknesses.
    • No direct session swap/hijack defect was identified in this scope; no behavioral/session-model changes introduced.

  • Representative change

    if (!getConfiguration().isAllowHttpScheme() && isInternalAddress(uri.getHost())) {
    throw invalidClientIdMetadata(ERR_NOTALLOWED_DOMAIN);
}

protected boolean checkTrustedDomain(String hostname, String trustedDomain) {
    String normalizedHostname = hostname.toLowerCase(Locale.ROOT);
    String normalizedTrustedDomain = trustedDomain.toLowerCase(Locale.ROOT);
    ...
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • repo.gradle.org
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -classpath /home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/boot/plexus-classworlds-2.8.0.jar -Dclassworlds.conf=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/bin/m2.conf -Dmaven.home=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91 -Dlibrary.jansi.path=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher -pl services -DskipTests compile -q (dns block)
  • repository.jboss.org
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -classpath /home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/boot/plexus-classworlds-2.8.0.jar -Dclassworlds.conf=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/bin/m2.conf -Dmaven.home=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91 -Dlibrary.jansi.path=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher -pl services -DskipTests compile -q (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -classpath /home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/boot/plexus-classworlds-2.8.0.jar -Dclassworlds.conf=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/bin/m2.conf -Dmaven.home=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91 -Dlibrary.jansi.path=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher -pl services -am -DskipTests compile -q (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -classpath /home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/boot/plexus-classworlds-2.8.0.jar -Dclassworlds.conf=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/bin/m2.conf -Dmaven.home=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91 -Dlibrary.jansi.path=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher -pl testsuite/integration-arquillian/tests/base -am -Dtest=ClientIdMetadataDocumentTest test -q (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 28, 2026 11:48
@tnorimat
Harden CIMD URI validation and trusted domain matching
dc4ba79 
Co-authored-by: tnorimat <25092005+tnorimat@users.noreply.github.com>
@tnorimat
Refine CIMD SSRF enforcement flow and tests
5787282 
Co-authored-by: tnorimat <25092005+tnorimat@users.noreply.github.com>
Copilot AI changed the title [WIP] Review branch ISSUE-45284 for security and bug fixes Harden CIMD URI trust validation (SSRF) and fix case-insensitive domain matching Feb 28, 2026
@tnorimat tnorimat closed this Mar 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tnorimat tnorimat

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tnorimat