Fix vulnerability

tylerjmchugh · tylerjmchugh · commit de154c84ddee · 2026-02-25T10:09:22.000-05:00
diff --git a/services/src/main/java/org/fao/geonet/api/records/MetadataApi.java b/services/src/main/java/org/fao/geonet/api/records/MetadataApi.java
@@ -198,8 +198,9 @@ public String getRecord(
         HttpServletRequest request
     )
         throws Exception {
+        AbstractMetadata metadata;
         try {
-            ApiUtils.canViewRecord(metadataUuid, request);
+            metadata = ApiUtils.canViewRecord(metadataUuid, request);
         } catch (SecurityException e) {
             Log.debug(API.LOG_MODULE_NAME, e.getMessage(), e);
             throw new NotAllowedException(ApiParams.API_RESPONSE_NOT_ALLOWED_CAN_VIEW);
@@ -208,15 +209,16 @@ public String getRecord(
         String acceptHeader = StringUtils.isBlank(request.getHeader(HttpHeaders.ACCEPT)) ? MediaType.APPLICATION_XML_VALUE : request.getHeader(HttpHeaders.ACCEPT);
         List<String> accept = Arrays.asList(acceptHeader.split(","));
 
-        String formatterBasePath = metadataUuid + "/formatters/";
+        // Use the uuid from the abstract metadata instead of the path variable to address URL forwarding vulnerabilities
+        String formatterBasePath = metadata.getUuid() + "/formatters/";
         String defaultFormatterPath = formatterBasePath + "xsl-view";
         if (accept.contains(MediaType.TEXT_HTML_VALUE) || accept.contains(MediaType.APPLICATION_XHTML_XML_VALUE)) {
             // Check if the language query parameter is a real language supported by the system. If not, fallback to the request language.
             String resolvedLanguage = (StringUtils.isNotBlank(language) && languageUtils.getUiLanguages().contains(language.toLowerCase()))
                 ? language.toLowerCase()
                 : languageUtils.getIso3langCode(request.getLocales());
             // If there is a redirect to a record view formatter configured use it, otherwise fallback to the default xsl-view formatter.
-            String redirect = getRecordViewFormatterRedirect(resolvedLanguage, metadataUuid, recordViewFormatter);
+            String redirect = getRecordViewFormatterRedirect(resolvedLanguage, metadata.getUuid(), recordViewFormatter);
             if (StringUtils.isNotBlank(redirect)) {
                 return redirect;
             }
