If a URI or URL is created from a File it isn't a valid source of SSRF. This is because, AFAIK, opening a stream from a file will never create a socket request.
new File("untrusted-user-input.txt").toURI().toURL().openStream()
Thank you for this false positive report.
I have added it to our tracking board for future consideration, as we are not actively prioritising false positives right now.
Description of the false positive
If a
URI
orURL
is created from aFile
it isn't a valid source of SSRF. This is because, AFAIK, opening a stream from a file will never create a socket request.new File("untrusted-user-input.txt").toURI().toURL().openStream()
Code samples or links to source code
https://github.com/keycloak/keycloak/blob/0bfadacffd1112e6fa6fdce5b6662b08aeb15d79/services/src/main/java/org/keycloak/theme/FolderTheme.java#L101-L101
URL to the alert on GitHub code scanning (optional)
https://github.com/Chainguard-Wolfi-Bites-Back/keycloak__keycloak/security/code-scanning/18
Reasonable Fix
It should be simple to add any type conversion to a
File
as a simple sanitizer.