Pixee-Bot-Java · pixeebot · Aug 13, 2025 · pixeebot · Aug 13, 2025 · pixeebot
diff --git a/xwiki-commons-core/xwiki-commons-classloader/pom.xml b/xwiki-commons-core/xwiki-commons-classloader/pom.xml
@@ -34,4 +34,16 @@
   <modules>
     <module>xwiki-commons-classloader-api</module>
   </modules>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <properties>
+    <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+  </properties>
 </project>
diff --git a/xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/pom.xml b/xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/pom.xml
@@ -55,6 +55,10 @@
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

diff --git a/...lassloader-api/src/main/java/org/xwiki/classloader/internal/ExtendedJarURLConnection.java b/...lassloader-api/src/main/java/org/xwiki/classloader/internal/ExtendedJarURLConnection.java
@@ -19,6 +19,8 @@
  */
 package org.xwiki.classloader.internal;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -184,7 +186,7 @@ private void parseSpecs(URL url) throws MalformedURLException
         }
 
         // This is the main difference with standard JarURLConnection: we use a component to handle the actual file
-        this.jarFileURL = new URL(null, spec.substring(0, separator++), this.handler);
+        this.jarFileURL = Urls.create(null, spec.substring(0, separator++), this.handler, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
         this.entryName = null;
 
         /* if ! is the last letter of the innerURL, entryName is null */

diff --git a/...sloader-api/src/main/java/org/xwiki/classloader/internal/JarExtendedURLStreamHandler.java b/...sloader-api/src/main/java/org/xwiki/classloader/internal/JarExtendedURLStreamHandler.java
@@ -20,6 +20,8 @@
 // In java.net package to be allowed to call URLStreamHandler methods
 package org.xwiki.classloader.internal;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.File;
 import java.io.IOException;
 import java.net.MalformedURLException;
@@ -108,7 +110,7 @@ protected URLConnection openConnection(URL u) throws IOException
         }
 
         // For anything else use standard JAR handler
-        return new URL(null, spec).openConnection();
+        return Urls.create(null, spec, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS).openConnection();
     }
 
     @Override
@@ -223,7 +225,7 @@ private String parseAbsoluteSpec(String spec) {
         // test the inner URL
         try {
             String innerSpec = spec.substring(0, index - 1);
-            new URL(innerSpec);
+            Urls.create(innerSpec, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
         } catch (MalformedURLException e) {
             throw new NullPointerException("invalid url: " +
                                            spec + " (" + e + ")");

diff --git a/xwiki-commons-core/xwiki-commons-crypto/pom.xml b/xwiki-commons-core/xwiki-commons-crypto/pom.xml
@@ -69,4 +69,16 @@
     <module>xwiki-commons-crypto-signer</module>
     <module>xwiki-commons-crypto-store</module>
   </modules>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <properties>
+    <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+  </properties>
 </project>
diff --git a/xwiki-commons-core/xwiki-commons-crypto/xwiki-commons-crypto-pkix/pom.xml b/xwiki-commons-core/xwiki-commons-crypto/xwiki-commons-crypto-pkix/pom.xml
@@ -57,5 +57,9 @@
       <groupId>com.sun.mail</groupId>
       <artifactId>jakarta.mail</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
 </project>
diff --git a/...to-pkix/src/main/java/org/xwiki/crypto/pkix/params/x509certificate/extension/X509URI.java b/...to-pkix/src/main/java/org/xwiki/crypto/pkix/params/x509certificate/extension/X509URI.java
@@ -19,6 +19,8 @@
  */
 package org.xwiki.crypto.pkix.params.x509certificate.extension;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -60,7 +62,7 @@ public X509URI(String str)
             newUri = newUrl.toURI();
         } catch (URISyntaxException e) {
             try {
-                newUrl = new URL(str);
+                newUrl = Urls.create(str, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
                 newStr = newUrl.toString();
             } catch (MalformedURLException e1) {
                 newStr = str;

diff --git a/xwiki-commons-core/xwiki-commons-extension/pom.xml b/xwiki-commons-core/xwiki-commons-extension/pom.xml
@@ -46,5 +46,17 @@
     <module>xwiki-commons-extension-handlers</module>
     <module>xwiki-commons-extension-repositories</module>
   </modules>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <properties>
+    <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+  </properties>
 </project>
 
diff --git a/xwiki-commons-core/xwiki-commons-extension/xwiki-commons-extension-api/pom.xml b/xwiki-commons-core/xwiki-commons-extension/xwiki-commons-extension-api/pom.xml
@@ -112,6 +112,10 @@
       <version>${project.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

diff --git a/...xwiki-commons-extension-api/src/main/java/org/xwiki/extension/DefaultExtensionAuthor.java b/...xwiki-commons-extension-api/src/main/java/org/xwiki/extension/DefaultExtensionAuthor.java
@@ -19,6 +19,8 @@
  */
 package org.xwiki.extension;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Objects;
@@ -79,7 +81,7 @@ public URL getURL()
     {
         if (this.urlCache == null && this.url != null) {
             try {
-                this.urlCache = new URL(this.url);
+                this.urlCache = Urls.create(this.url, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
             } catch (MalformedURLException e) {
                 // TODO: Should probably log something
             }

diff --git a/...ion/xwiki-commons-extension-api/src/main/java/org/xwiki/extension/internal/PathUtils.java b/...ion/xwiki-commons-extension-api/src/main/java/org/xwiki/extension/internal/PathUtils.java
@@ -19,6 +19,8 @@
  */
 package org.xwiki.extension.internal;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.JarURLConnection;
@@ -71,7 +73,7 @@ private static URL fixURL(URL jarURL)
             jarURLString = jarURLString.replace(" ", "%20");
 
             try {
-                return new URL(jarURLString);
+                return Urls.create(jarURLString, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
             } catch (MalformedURLException e) {
                 // TODO: Log something ?
             }

diff --git a/...src/main/java/org/xwiki/extension/repository/internal/URLExtensionPropertySerializer.java b/...src/main/java/org/xwiki/extension/repository/internal/URLExtensionPropertySerializer.java
@@ -19,6 +19,8 @@
  */
 package org.xwiki.extension.repository.internal;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.net.URL;
 
 import org.w3c.dom.Element;
@@ -42,7 +44,7 @@ public URLExtensionPropertySerializer()
     public URL toValue(Element element)
     {
         try {
-            return new URL(element.getTextContent());
+            return Urls.create(element.getTextContent(), Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
         } catch (Exception e) {
             // TODO: should maybe log something
             return null;

diff --git a/...c/main/java/org/xwiki/extension/repository/internal/core/DefaultCoreExtensionScanner.java b/...c/main/java/org/xwiki/extension/repository/internal/core/DefaultCoreExtensionScanner.java
@@ -19,6 +19,8 @@
  */
 package org.xwiki.extension.repository.internal.core;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
@@ -264,7 +266,7 @@ private DefaultCoreExtension loadCoreExtensionFromXED(URL jarURL, DefaultCoreExt
                 // Find XED file URL
                 URL xedURL;
                 try {
-                    xedURL = new URL(jarString.substring(0, extIndex) + ".xed");
+                    xedURL = Urls.create(jarString.substring(0, extIndex) + ".xed", Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
                 } catch (MalformedURLException e) {
                     // Cannot really happen
                     return null;
@@ -371,6 +373,6 @@ private static URL getEnvironmentExtensionURL(URL xedURL) throws MalformedURLExc
         List<String> segments = Arrays.asList(xedURL.toString().split(separator));
         // Remove the segments corresponding to "/META-INF/extension.xed" at the end of the URL.
         List<String> startSegments = segments.subList(0, segments.size() - 2);
-        return new URL(String.join(separator, startSegments));
+        return Urls.create(String.join(separator, startSegments), Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
     }
 }
diff --git a/...xwiki-commons-extension-api/src/test/java/org/xwiki/extension/test/ExtensionPackager.java b/...xwiki-commons-extension-api/src/test/java/org/xwiki/extension/test/ExtensionPackager.java
@@ -19,6 +19,8 @@
  */
 package org.xwiki.extension.test;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -171,7 +173,7 @@ public void generateExtension(String classPackageFolder, URL descriptorUrl) thro
             try {
                 // Order files
                 TreeMap<String, Vfs.File> files = new TreeMap<>();
-                for (Vfs.File resourceFile : Vfs.fromURL(new URL(descriptorFolderURL)).getFiles()) {
+                for (Vfs.File resourceFile : Vfs.fromURL(Urls.create(descriptorFolderURL, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS)).getFiles()) {
                     files.put(resourceFile.getRelativePath(), resourceFile);
                 }
 

diff --git a/xwiki-commons-core/xwiki-commons-extension/xwiki-commons-extension-repositories/pom.xml b/xwiki-commons-core/xwiki-commons-extension/xwiki-commons-extension-repositories/pom.xml
@@ -37,5 +37,17 @@
     <module>xwiki-commons-extension-repository-xwiki</module>
     <module>xwiki-commons-extension-repository-maven-snapshots</module>
   </modules>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <properties>
+    <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+  </properties>
 </project>
 
diff --git a/...ion/xwiki-commons-extension-repositories/xwiki-commons-extension-repository-maven/pom.xml b/...ion/xwiki-commons-extension-repositories/xwiki-commons-extension-repository-maven/pom.xml
@@ -143,6 +143,10 @@
       <version>${project.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

diff --git a/...en/src/main/java/org/xwiki/extension/repository/maven/internal/MavenExtensionScanner.java b/...en/src/main/java/org/xwiki/extension/repository/maven/internal/MavenExtensionScanner.java
@@ -19,6 +19,8 @@
  */
 package org.xwiki.extension.repository.maven.internal;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
@@ -168,10 +170,10 @@ private boolean scan(Map<String, DefaultCoreExtension> extensions, URL jarURL,
             try {
                 if (path.endsWith("/")) {
                     // It's a folder
-                    descriptorURL = new URL(path + descriptor);
+                    descriptorURL = Urls.create(path + descriptor, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
                 } else {
                     // Probably a jar
-                    descriptorURL = new URL("jar:" + jarURL.toExternalForm() + "!/" + descriptor);
+                    descriptorURL = Urls.create("jar:" + jarURL.toExternalForm() + "!/" + descriptor, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
                 }
             } catch (MalformedURLException e) {
                 // Not supposed to happen (would mean there is a bug in Reflections)

diff --git a/xwiki-commons-core/xwiki-commons-filter/pom.xml b/xwiki-commons-core/xwiki-commons-filter/pom.xml
@@ -38,5 +38,17 @@
     <module>xwiki-commons-filter-events</module>
     <module>xwiki-commons-filter-streams</module>
   </modules>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <properties>
+    <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+  </properties>
 </project>
 
diff --git a/xwiki-commons-core/xwiki-commons-filter/xwiki-commons-filter-api/pom.xml b/xwiki-commons-core/xwiki-commons-filter/xwiki-commons-filter-api/pom.xml
@@ -57,6 +57,10 @@
       <version>${project.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

diff --git a/...-api/src/main/java/org/xwiki/filter/internal/input/DefaultInputSourceReferenceParser.java b/...-api/src/main/java/org/xwiki/filter/internal/input/DefaultInputSourceReferenceParser.java
@@ -19,6 +19,8 @@
  */
 package org.xwiki.filter.internal.input;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.File;
 import java.net.URL;
 
@@ -68,7 +70,7 @@ public InputSource parse(String reference) throws FilterException
 
             if (prefix.equals("url")) {
                 try {
-                    inputSource = new DefaultURLInputSource(new URL(value));
+                    inputSource = new DefaultURLInputSource(Urls.create(value, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS));
                 } catch (Exception e) {
                     throw new ConversionException("Failed to create input source for URL [" + reference + "]", e);
                 }

diff --git a/xwiki-commons-core/xwiki-commons-legacy/xwiki-commons-legacy-classloader/pom.xml b/xwiki-commons-core/xwiki-commons-legacy/xwiki-commons-legacy-classloader/pom.xml
@@ -39,11 +39,12 @@
       <dependency>
         <groupId>io.github.pixee</groupId>
         <artifactId>java-security-toolkit</artifactId>
+
         <version>${versions.java-security-toolkit}</version>
       </dependency>
     </dependencies>
   </dependencyManagement>
   <properties>
-    <versions.java-security-toolkit>1.2.0</versions.java-security-toolkit>
+    <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
   </properties>
 </project>
diff --git a/...mons-legacy/xwiki-commons-legacy-classloader/xwiki-commons-legacy-classloader-api/pom.xml b/...mons-legacy/xwiki-commons-legacy-classloader/xwiki-commons-legacy-classloader-api/pom.xml
@@ -33,6 +33,7 @@
   <description>Legacy module for xwiki-commons-classloader-api</description>
   <properties>
     <xwiki.jacoco.instructionRatio>0.00</xwiki.jacoco.instructionRatio>
+    <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
   </properties>
   <dependencies>
     <!-- Trigger xwiki-commons-classloader-api (but without xwiki-commons-classloader-api jar itself) -->
@@ -65,6 +66,10 @@
       <groupId>io.github.pixee</groupId>
       <artifactId>java-security-toolkit</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <plugins>
@@ -128,4 +133,13 @@
       </plugin>
     </plugins>
   </build>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
 </project>