Passing full context dataset to XSLT

`$ALLOW_INTERNAL_URLS` env config flag
App dropdown shows both user-defined and system dataspaces (apps)

Author: namedgraph

docker-compose.yml

@@ -63,6 +63,7 @@ services:
       - SELF_SIGNED_CERT=true # only on localhost
       - SIGN_UP_CERT_VALIDITY=180
       - MAX_CONTENT_LENGTH=${MAX_CONTENT_LENGTH:-2097152}
+      - ALLOW_INTERNAL_URLS=${ALLOW_INTERNAL_URLS:-}
       - NOTIFICATION_ADDRESS=LinkedDataHub <notifications@localhost>
       - MAIL_SMTP_HOST=email-server
       - MAIL_SMTP_PORT=25

platform/entrypoint.sh

@@ -1034,6 +1034,10 @@ if [ -n "$ENABLE_LINKED_DATA_PROXY" ]; then
     ENABLE_LINKED_DATA_PROXY_PARAM="--stringparam ldhc:enableLinkedDataProxy '$ENABLE_LINKED_DATA_PROXY' "
 fi
 
+if [ -n "$ALLOW_INTERNAL_URLS" ]; then
+    export CATALINA_OPTS="$CATALINA_OPTS -Dcom.atomgraph.linkeddatahub.allowInternalUrls=$ALLOW_INTERNAL_URLS"
+fi
+
 if [ -n "$MAX_CONTENT_LENGTH" ]; then
     MAX_CONTENT_LENGTH_PARAM="--stringparam ldhc:maxContentLength '$MAX_CONTENT_LENGTH' "
 fi

src/main/java/com/atomgraph/linkeddatahub/Application.java

@@ -113,6 +113,7 @@
 import com.atomgraph.linkeddatahub.server.security.AgentContext;
 import com.atomgraph.linkeddatahub.server.security.AuthorizationContext;
 import com.atomgraph.linkeddatahub.server.util.MessageBuilder;
+import com.atomgraph.linkeddatahub.server.util.URLValidator;
 import com.atomgraph.linkeddatahub.vocabulary.ACL;
 import com.atomgraph.linkeddatahub.vocabulary.FOAF;
 import com.atomgraph.linkeddatahub.vocabulary.LDH;
@@ -284,6 +285,8 @@ public class Application extends ResourceConfig
     private final boolean invalidateCache;
     private final Integer cookieMaxAge;
     private final boolean enableLinkedDataProxy;
+    private final boolean allowInternalUrls;
+    private final URLValidator urlValidator;
     private final Integer maxContentLength;
     private final Address notificationAddress;
     private final Authenticator authenticator;
@@ -347,6 +350,8 @@ public Application(@Context ServletConfig servletConfig) throws URISyntaxExcepti
             servletConfig.getServletContext().getInitParameter(LDHC.invalidateCache.getURI()) != null ? Boolean.parseBoolean(servletConfig.getServletContext().getInitParameter(LDHC.invalidateCache.getURI())) : false,
             servletConfig.getServletContext().getInitParameter(LDHC.cookieMaxAge.getURI()) != null ? Integer.valueOf(servletConfig.getServletContext().getInitParameter(LDHC.cookieMaxAge.getURI())) : null,
             servletConfig.getServletContext().getInitParameter(LDHC.enableLinkedDataProxy.getURI()) != null ? Boolean.parseBoolean(servletConfig.getServletContext().getInitParameter(LDHC.enableLinkedDataProxy.getURI())) : true,
+            System.getProperty("com.atomgraph.linkeddatahub.allowInternalUrls") != null ? Boolean.parseBoolean(System.getProperty("com.atomgraph.linkeddatahub.allowInternalUrls")) :
+            servletConfig.getServletContext().getInitParameter(LDHC.allowInternalUrls.getURI()) != null ? Boolean.parseBoolean(servletConfig.getServletContext().getInitParameter(LDHC.allowInternalUrls.getURI())) : false,
             servletConfig.getServletContext().getInitParameter(LDHC.maxContentLength.getURI()) != null ? Integer.valueOf(servletConfig.getServletContext().getInitParameter(LDHC.maxContentLength.getURI())) : null,
             servletConfig.getServletContext().getInitParameter(LDHC.maxConnPerRoute.getURI()) != null ? Integer.valueOf(servletConfig.getServletContext().getInitParameter(LDHC.maxConnPerRoute.getURI())) : null,
             servletConfig.getServletContext().getInitParameter(LDHC.maxTotalConn.getURI()) != null ? Integer.valueOf(servletConfig.getServletContext().getInitParameter(LDHC.maxTotalConn.getURI())) : null,
@@ -404,6 +409,7 @@ public Application(@Context ServletConfig servletConfig) throws URISyntaxExcepti
      * @param invalidateCache true if Varnish proxy cache should be invalidated
      * @param cookieMaxAge max age of auth cookies
      * @param enableLinkedDataProxy true if Linked Data proxy is enabled
+     * @param allowInternalUrls true if internal/private network URLs are allowed (disables SSRF protection)
      * @param maxContentLength maximum size of request entity
      * @param maxConnPerRoute maximum client connections per rout
      * @param maxTotalConn maximum total client connections
@@ -436,7 +442,7 @@ public Application(final ServletConfig servletConfig, final MediaTypes mediaType
             final String webIDQueryString, final String agentQueryString, final String userAccountQueryString, final String ontologyQueryString,
             final String baseURIString, final String proxyScheme, final String proxyHostname, final Integer proxyPort,
             final String uploadRootString, final boolean invalidateCache,
-            final Integer cookieMaxAge, final boolean enableLinkedDataProxy, final Integer maxContentLength,
+            final Integer cookieMaxAge, final boolean enableLinkedDataProxy, final boolean allowInternalUrls, final Integer maxContentLength,
             final Integer maxConnPerRoute, final Integer maxTotalConn, final Integer maxRequestRetries, final Integer maxImportThreads,
             final String notificationAddressString, final String supportedLanguageCodes, final boolean enableWebIDSignUp, final String oidcRefreshTokensPropertiesPath,
             final String frontendProxyString, final String backendProxyAdminString, final String backendProxyEndUserString,
@@ -570,6 +576,8 @@ public Application(final ServletConfig servletConfig, final MediaTypes mediaType
         this.cacheStylesheet = cacheStylesheet;
         this.resolvingUncached = resolvingUncached;
         this.enableLinkedDataProxy = enableLinkedDataProxy;
+        this.allowInternalUrls = allowInternalUrls;
+        this.urlValidator = new URLValidator(allowInternalUrls);
         this.maxContentLength = maxContentLength;
         this.invalidateCache = invalidateCache;
         this.enableWebIDSignUp = enableWebIDSignUp;
@@ -2159,7 +2167,27 @@ public boolean isEnableLinkedDataProxy()
     {
         return enableLinkedDataProxy;
     }
-    
+
+    /**
+     * Returns true if internal/private network URLs are allowed (SSRF protection disabled).
+     *
+     * @return true if internal URLs are allowed
+     */
+    public boolean isAllowInternalUrls()
+    {
+        return allowInternalUrls;
+    }
+
+    /**
+     * Returns the shared URLValidator instance configured for this application.
+     *
+     * @return the URL validator
+     */
+    public URLValidator getURLValidator()
+    {
+        return urlValidator;
+    }
+
     /**
      * Maximum allowed request body size.
      * 

src/main/java/com/atomgraph/linkeddatahub/resource/Transform.java

@@ -23,7 +23,6 @@
 import com.atomgraph.linkeddatahub.server.io.ValidatingModelProvider;
 import com.atomgraph.linkeddatahub.server.model.impl.DirectGraphStoreImpl;
 import com.atomgraph.linkeddatahub.server.security.AgentContext;
-import com.atomgraph.linkeddatahub.server.util.URLValidator;
 import com.atomgraph.linkeddatahub.vocabulary.NFO;
 import com.atomgraph.spinrdf.vocabulary.SPIN;
 import java.net.URI;
@@ -143,8 +142,8 @@ public Response post(Model model)
             if (queryRes == null) throw new BadRequestException("Transformation query string (spin:query) not provided");
 
             // LNK-002: Validate URIs to prevent SSRF attacks
-            new URLValidator(URI.create(queryRes.getURI())).validate();
-            new URLValidator(URI.create(source.getURI())).validate();
+            getSystem().getURLValidator().validate(URI.create(queryRes.getURI()));
+            getSystem().getURLValidator().validate(URI.create(source.getURI()));
 
             GraphStoreClient gsc = GraphStoreClient.create(getSystem().getClient(), getSystem().getMediaTypes()).
                 delegation(getUriInfo().getBaseUri(), getAgentContext().orElse(null));
@@ -235,7 +234,7 @@ public Response postFileBodyPart(Model model, Map<String, FormDataBodyPart> file
             if (queryRes == null) throw new BadRequestException("Transformation query string (spin:query) not provided");
 
             // LNK-002: Validate query URI to prevent SSRF attacks
-            new URLValidator(URI.create(queryRes.getURI())).validate();
+            getSystem().getURLValidator().validate(URI.create(queryRes.getURI()));
 
             GraphStoreClient gsc = GraphStoreClient.create(getSystem().getClient(), getSystem().getMediaTypes()).
                 delegation(getUriInfo().getBaseUri(), getAgentContext().orElse(null));

src/main/java/com/atomgraph/linkeddatahub/resource/admin/pkg/InstallPackage.java

@@ -23,7 +23,6 @@
 import com.atomgraph.linkeddatahub.client.GraphStoreClient;
 import com.atomgraph.linkeddatahub.resource.admin.ClearOntology;
 import com.atomgraph.linkeddatahub.server.security.AgentContext;
-import com.atomgraph.linkeddatahub.server.util.URLValidator;
 import com.atomgraph.linkeddatahub.server.util.XSLTMasterUpdater;
 import static com.atomgraph.server.status.UnprocessableEntityStatus.UNPROCESSABLE_ENTITY;
 import jakarta.inject.Inject;
@@ -134,7 +133,7 @@ public Response post(@FormParam("package-uri") String packageURI, @HeaderParam("
         }
 
         // Validate package URI to prevent SSRF attacks
-        new URLValidator(URI.create(packageURI)).validate();
+        getSystem().getURLValidator().validate(URI.create(packageURI));
 
         if (log.isInfoEnabled()) log.info("Installing package: {}", packageURI);
         com.atomgraph.linkeddatahub.apps.model.Package pkg = getPackage(packageURI);
@@ -161,7 +160,7 @@ public Response post(@FormParam("package-uri") String packageURI, @HeaderParam("
             if (ontology != null)
             {
                 // Validate ontology URI to prevent SSRF attacks
-                new URLValidator(URI.create(ontology.getURI())).validate();
+                getSystem().getURLValidator().validate(URI.create(ontology.getURI()));
 
                 if (log.isDebugEnabled()) log.debug("Downloading package ontology from: {}", ontology.getURI());
                 Model ontologyModel = downloadOntology(ontology.getURI());
@@ -175,7 +174,7 @@ public Response post(@FormParam("package-uri") String packageURI, @HeaderParam("
                 String packagePath = pkg.getStylesheetPath();
 
                 // Validate stylesheet URI to prevent SSRF attacks
-                new URLValidator(stylesheetURI).validate();
+                getSystem().getURLValidator().validate(stylesheetURI);
 
                 if (log.isDebugEnabled()) log.debug("Downloading package stylesheet from: {}", stylesheetURI);
                 String stylesheetContent = downloadStylesheet(stylesheetURI);

src/main/java/com/atomgraph/linkeddatahub/server/filter/request/auth/WebIDFilter.java

@@ -25,7 +25,6 @@
 import com.atomgraph.linkeddatahub.server.exception.auth.webid.WebIDLoadingException;
 import com.atomgraph.linkeddatahub.server.exception.auth.webid.WebIDDelegationException;
 import com.atomgraph.linkeddatahub.server.security.WebIDSecurityContext;
-import com.atomgraph.linkeddatahub.server.util.URLValidator;
 import com.atomgraph.linkeddatahub.vocabulary.ACL;
 import com.atomgraph.linkeddatahub.vocabulary.Cert;
 import com.atomgraph.linkeddatahub.vocabulary.FOAF;
@@ -129,7 +128,7 @@ public SecurityContext authenticate(ContainerRequestContext request)
             }
             if (log.isTraceEnabled()) log.trace("Client WebID: {}", webID);
 
-            new URLValidator(webID).validate(); // LNK-004: Prevent SSRF via WebID URI
+            getSystem().getURLValidator().validate(webID); // LNK-004: Prevent SSRF via WebID URI
             Resource agent = authenticate(loadWebID(webID), webID, publicKey);
             if (agent == null)
             {
@@ -142,7 +141,7 @@ public SecurityContext authenticate(ContainerRequestContext request)
             if (onBehalfOf != null)
             {
                 URI principalWebID = new URI(onBehalfOf);
-                new URLValidator(principalWebID).validate(); // LNK-004: Prevent SSRF via On-Behalf-Of header
+                getSystem().getURLValidator().validate(principalWebID); // LNK-004: Prevent SSRF via On-Behalf-Of header
                 Model principalWebIDModel = loadWebID(principalWebID);
                 Resource principal = principalWebIDModel.createResource(onBehalfOf);
                 // if we verify that the current agent is a secretary of the principal, that principal becomes current agent. Else throw error
@@ -300,7 +299,7 @@ public Model loadWebIDFromURI(URI webID)
                 if (certKeyRes != null && certKeyRes.isURIResource())
                 {
                     URI certKey = URI.create(certKeyRes.getURI());
-                    new URLValidator(certKey).validate(); // LNK-004: Prevent SSRF via cert:key reference in WebID document
+                    getSystem().getURLValidator().validate(certKey); // LNK-004: Prevent SSRF via cert:key reference in WebID document
                     // remove fragment identifier to get document URI
                     URI certKeyDoc = new URI(certKey.getScheme(), certKey.getSchemeSpecificPart(), null).normalize();
 

src/main/java/com/atomgraph/linkeddatahub/server/model/impl/ProxiedGraph.java

@@ -31,7 +31,6 @@
 import com.atomgraph.linkeddatahub.server.security.AgentContext;
 import com.atomgraph.linkeddatahub.server.security.IDTokenSecurityContext;
 import com.atomgraph.linkeddatahub.server.security.WebIDSecurityContext;
-import com.atomgraph.linkeddatahub.server.util.URLValidator;
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.List;
@@ -309,7 +308,7 @@ public Response get(WebTarget target, Invocation.Builder builder)
 
         if (!getSystem().isEnableLinkedDataProxy()) throw new NotAllowedException("Linked Data proxy not enabled");
         // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
-        new URLValidator(target.getUri()).validate();
+        getSystem().getURLValidator().validate(target.getUri());
 
         return super.get(target, builder);
     }
@@ -326,7 +325,7 @@ public Response post(String sparqlQuery)
     {
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied");
         // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
-        new URLValidator(getWebTarget().getUri()).validate();
+        getSystem().getURLValidator().validate(getWebTarget().getUri());
 
         if (log.isDebugEnabled()) log.debug("POSTing SPARQL query to URI: {}", getWebTarget().getUri());
 
@@ -360,7 +359,7 @@ public Response postForm(String formData)
     {
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied");
         // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
-        new URLValidator(getWebTarget().getUri()).validate();
+        getSystem().getURLValidator().validate(getWebTarget().getUri());
 
         if (log.isDebugEnabled()) log.debug("POSTing form data to URI: {}", getWebTarget().getUri());
 
@@ -394,7 +393,7 @@ public Response patch(String sparqlUpdate)
     {
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied");
         // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
-        new URLValidator(getWebTarget().getUri()).validate();
+        getSystem().getURLValidator().validate(getWebTarget().getUri());
 
         if (log.isDebugEnabled()) log.debug("PATCHing SPARQL update to URI: {}", getWebTarget().getUri());
 
@@ -429,7 +428,7 @@ public Response postMultipart(FormDataMultiPart multiPart)
         if (!getSystem().isEnableLinkedDataProxy()) throw new NotAllowedException("Linked Data proxy not enabled");
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied"); // cannot throw Exception in constructor: https://github.com/eclipse-ee4j/jersey/issues/4436
         // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
-        new URLValidator(getWebTarget().getUri()).validate();
+        getSystem().getURLValidator().validate(getWebTarget().getUri());
 
         try (Response cr = getWebTarget().request().
             accept(getMediaTypes().getReadable(Model.class).toArray(jakarta.ws.rs.core.MediaType[]::new)).
@@ -453,7 +452,7 @@ public Response putMultipart(FormDataMultiPart multiPart)
         if (!getSystem().isEnableLinkedDataProxy()) throw new NotAllowedException("Linked Data proxy not enabled");
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied"); // cannot throw Exception in constructor: https://github.com/eclipse-ee4j/jersey/issues/4436
         // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
-        new URLValidator(getWebTarget().getUri()).validate();
+        getSystem().getURLValidator().validate(getWebTarget().getUri());
 
         try (Response cr = getWebTarget().request().
                 accept(getMediaTypes().getReadable(Model.class).toArray(jakarta.ws.rs.core.MediaType[]::new)).

src/main/java/com/atomgraph/linkeddatahub/server/util/URLValidator.java

@@ -37,18 +37,16 @@ public class URLValidator
 {
     private static final Logger log = LoggerFactory.getLogger(URLValidator.class);
 
-    private final URI uri;
+    private final boolean allowInternal;
 
     /**
-     * Constructs URL validator for the given URI.
+     * Constructs URL validator.
      *
-     * @param uri the URI to validate
-     * @throws IllegalArgumentException if the URI is null
+     * @param allowInternal if true, internal/private network addresses are allowed (disables SSRF protection)
      */
-    public URLValidator(URI uri)
+    public URLValidator(boolean allowInternal)
     {
-        if (uri == null) throw new IllegalArgumentException("URI cannot be null");
-        this.uri = uri;
+        this.allowInternal = allowInternal;
     }
 
     /**
@@ -61,44 +59,40 @@ public URLValidator(URI uri)
      * may legitimately need to access resources on the same server (e.g., transformation queries,
      * WebID documents during development, admin operations).
      *
+     * @param uri the URI to validate
      * @return the validated URI
-     * @throws IllegalArgumentException if the URI host is null
+     * @throws IllegalArgumentException if the URI is null or its host is null
      * @throws InternalURLException if the URI resolves to an internal IP address
      */
-    public URI validate()
+    public URI validate(URI uri)
     {
-        String host = uri.getHost();
-        if (host == null) throw new IllegalArgumentException("URI host cannot be null");
+        if (uri == null) throw new IllegalArgumentException("URI cannot be null");
 
-        // Resolve hostname to IP and check if it's private/internal
-        try
+        if (!allowInternal)
         {
-            InetAddress address = InetAddress.getByName(host);
+            String host = uri.getHost();
+            if (host == null) throw new IllegalArgumentException("URI host cannot be null");
 
-            // Note: We don't block loopback addresses (127.0.0.1, localhost) because the application
-            // legitimately accesses its own endpoints for various operations
+            // Resolve hostname to IP and check if it's private/internal
+            try
+            {
+                InetAddress address = InetAddress.getByName(host);
 
-            if (address.isLinkLocalAddress())
-                throw new InternalURLException(uri, address.getHostAddress());
-            if (address.isSiteLocalAddress())
-                throw new InternalURLException(uri, address.getHostAddress());
-        }
-        catch (UnknownHostException e)
-        {
-            if (log.isWarnEnabled()) log.warn("Could not resolve hostname for SSRF validation: {}", host);
-            // Allow request to proceed - will fail later with better error message
-        }
+                // Note: We don't block loopback addresses (127.0.0.1, localhost) because the application
+                // legitimately accesses its own endpoints for various operations
 
-        return uri;
-    }
+                if (address.isLinkLocalAddress())
+                    throw new InternalURLException(uri, address.getHostAddress());
+                if (address.isSiteLocalAddress())
+                    throw new InternalURLException(uri, address.getHostAddress());
+            }
+            catch (UnknownHostException e)
+            {
+                if (log.isWarnEnabled()) log.warn("Could not resolve hostname for SSRF validation: {}", host);
+                // Allow request to proceed - will fail later with better error message
+            }
+        }
 
-    /**
-     * Returns the URI being validated.
-     *
-     * @return the URI
-     */
-    public URI getURI()
-    {
         return uri;
     }