fix: Add resource: protocol to allowed URL schemes by default (#3795)

* fix: Add `resource:` protocol to allowed URL schemes by default

This update includes `resource:` in the list of allowed URL schemes for retrieving configuration files.
See [`log4j2.configurationAllowedProtocols`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.configurationAllowedProtocols)

Currently, the `resource:` protocol is used exclusively by a `URLStreamHandler` that retrieves files from the embedded resources in a GraalVM native image. This makes it a secure and appropriate source for trusted configuration files.

This change cannot be easily and reliably tested through a unit test. An integration test will be provided in apache/logging-log4j-samples#345

Closes #3790

* fix: Add `resource` protocol only in native images

This change introduces an internal `SystemUtils.isGraalVm()` method to detect the presence of GraalVM and enable the `resource` protocol.

* Reword changelog entry

---------

Co-authored-by: Volkan Yazıcı <[email protected]>

Author: ppkarwasz

log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java

@@ -33,6 +33,7 @@
 import org.apache.logging.log4j.core.net.ssl.SslConfiguration;
 import org.apache.logging.log4j.core.net.ssl.SslConfigurationFactory;
 import org.apache.logging.log4j.core.util.AuthorizationProvider;
+import org.apache.logging.log4j.core.util.internal.SystemUtils;
 import org.apache.logging.log4j.util.PropertiesUtil;
 import org.apache.logging.log4j.util.Strings;
 
@@ -51,7 +52,24 @@ public class UrlConnectionFactory {
     private static final String HTTP = "http";
     private static final String HTTPS = "https";
     private static final String JAR = "jar";
-    private static final String DEFAULT_ALLOWED_PROTOCOLS = "https, file, jar";
+    /**
+     * Default list of protocols that are allowed to be used for configuration files and other trusted resources.
+     * <p>
+     *     By default, we trust the following protocols:
+     * <dl>
+     *     <dt>file</dt>
+     *     <dd>Local files</dd>
+     *     <dt>https</dt>
+     *     <dd>Resources retrieved through TLS to guarantee their integrity</dd>
+     *     <dt>jar</dt>
+     *     <dd>Resources retrieved from JAR files</dd>
+     *     <dt>resource</dt>
+     *     <dd>Resources embedded in a GraalVM native image</dd>
+     * </dl>
+     */
+    private static final String DEFAULT_ALLOWED_PROTOCOLS =
+            SystemUtils.isGraalVm() ? "file, https, jar, resource" : "file, https, jar";
+
     private static final String NO_PROTOCOLS = "_none";
     public static final String ALLOWED_PROTOCOLS = "log4j2.Configuration.allowedProtocols";
 

log4j-core/src/main/java/org/apache/logging/log4j/core/util/internal/SystemUtils.java

@@ -36,5 +36,21 @@ public static boolean isOsAndroid() {
         return getJavaVendor().contains("Android");
     }
 
+    /**
+     * Checks if the current runtime is GraalVM.
+     * <p>
+     *     See <a href="https://www.graalvm.org/sdk/javadoc/org/graalvm/nativeimage/ImageInfo.html#PROPERTY_IMAGE_CODE_KEY">ImageInfo.PROPERTY_IMAGE_CODE_KEY</a>.
+     * </p>
+     * @return true if the current runtime is GraalVM, false otherwise.
+     */
+    public static boolean isGraalVm() {
+        try {
+            return System.getProperty("org.graalvm.nativeimage.imagecode") != null;
+        } catch (final SecurityException e) {
+            LOGGER.debug("Unable to determine if the current runtime is GraalVM.", e);
+            return false;
+        }
+    }
+
     private SystemUtils() {}
 }

src/changelog/.2.x.x/3790_allow-resource-protocol.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns="https://logging.apache.org/xml/ns"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="
+           https://logging.apache.org/xml/ns
+           https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"
+       type="fixed">
+  <issue id="3790" link="https://github.com/apache/logging-log4j2/issues/3790"/>
+  <description format="asciidoc">
+    Allow `resource:` protocol for configuration files by default, if the current runtime is GraalVM.
+  </description>
+</entry>

src/site/antora/modules/ROOT/partials/manual/systemproperties/properties-transport-security.adoc

@@ -21,9 +21,17 @@
 
 [cols="1h,5"]
 |===
-| Env. variable | `LOG4J_CONFIGURATION_ALLOWED_PROTOCOLS`
-| Type          | Comma-separated list of https://docs.oracle.com/javase/{java-target-version}/docs/api/java/net/URL.html[`URL`] protocols
-| Default value | `file, https, jar`
+| Env. variable
+| `LOG4J_CONFIGURATION_ALLOWED_PROTOCOLS`
+
+| Type
+| Comma-separated list of https://docs.oracle.com/javase/{java-target-version}/docs/api/java/net/URL.html[`URL`] protocols
+
+| Default value
+|
+`file, https, jar` (JVM)
+
+`file, https, jar, resource` (GraalVM)
 |===
 
 A comma separated list of https://docs.oracle.com/javase/{java-target-version}/docs/api/java/net/URL.html[`URL`] protocols that may be used to load any kind of configuration source.