LPD-72782 Create a configuration to remove client's IP from Liferay object

Author: izaera

modules/apps/frontend-js/frontend-js-web/src/main/java/com/liferay/frontend/js/web/internal/configuration/LiferayGlobalObjectConfiguration.java

@@ -0,0 +1,32 @@
+/**
+ * SPDX-FileCopyrightText: (c) 2025 Liferay, Inc. https://liferay.com
+ * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06
+ */
+
+package com.liferay.frontend.js.web.internal.configuration;
+
+import aQute.bnd.annotation.metatype.Meta;
+
+import com.liferay.portal.configuration.metatype.annotations.ExtendedObjectClassDefinition;
+
+/**
+ * @author Iván Zaera Avellón
+ */
+@ExtendedObjectClassDefinition(
+	category = "infrastructure",
+	scope = ExtendedObjectClassDefinition.Scope.COMPANY, strictScope = true
+)
+@Meta.OCD(
+	id = "com.liferay.frontend.js.web.internal.configuration.LiferayGlobalObjectConfiguration",
+	localization = "content/Language",
+	name = "liferay-global-object-configuration-name"
+)
+public interface LiferayGlobalObjectConfiguration {
+
+	@Meta.AD(
+		deflt = "false", description = "disable-get-remote-methods-help",
+		name = "disable-get-remote-methods", required = false
+	)
+	public boolean disableGetRemoteMethods();
+
+}

modules/apps/frontend-js/frontend-js-web/src/main/java/com/liferay/frontend/js/web/internal/servlet/taglib/LiferayGlobalObjectPreAUIDynamicInclude.java

@@ -6,11 +6,14 @@
 package com.liferay.frontend.js.web.internal.servlet.taglib;
 
 import com.liferay.exportimport.kernel.staging.Staging;
+import com.liferay.frontend.js.web.internal.configuration.LiferayGlobalObjectConfiguration;
 import com.liferay.layout.seo.kernel.LayoutSEOLink;
 import com.liferay.layout.seo.kernel.LayoutSEOLinkManager;
 import com.liferay.petra.string.CharPool;
 import com.liferay.petra.string.StringBundler;
 import com.liferay.petra.string.StringPool;
+import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
+import com.liferay.portal.configuration.module.configuration.ConfigurationProvider;
 import com.liferay.portal.kernel.content.security.policy.ContentSecurityPolicyNonceProviderUtil;
 import com.liferay.portal.kernel.exception.PortalException;
 import com.liferay.portal.kernel.feature.flag.FeatureFlag;
@@ -23,6 +26,7 @@
 import com.liferay.portal.kernel.model.LayoutTypePortlet;
 import com.liferay.portal.kernel.model.User;
 import com.liferay.portal.kernel.model.impl.VirtualLayout;
+import com.liferay.portal.kernel.module.configuration.ConfigurationException;
 import com.liferay.portal.kernel.security.auth.AuthToken;
 import com.liferay.portal.kernel.security.permission.ActionKeys;
 import com.liferay.portal.kernel.service.permission.LayoutPermission;
@@ -63,6 +67,7 @@
 import java.text.Format;
 import java.text.SimpleDateFormat;
 
+import java.util.Collections;
 import java.util.Locale;
 import java.util.Map;
 import java.util.TimeZone;
@@ -87,6 +92,9 @@ public void include(
 			HttpServletResponse httpServletResponse, String key)
 		throws IOException {
 
+		LiferayGlobalObjectConfiguration liferayGlobalObjectConfiguration =
+			_getLiferayGlobalObjectConfiguration(httpServletRequest);
+
 		PrintWriter printWriter = httpServletResponse.getWriter();
 
 		printWriter.print("<script");
@@ -107,7 +115,8 @@ public void include(
 			_renderLiferayPortlet(sb);
 			_renderLiferayPortletKeys(sb);
 			_renderLiferayPropsValues(httpServletRequest, sb);
-			_renderLiferayThemeDisplay(httpServletRequest, sb);
+			_renderLiferayThemeDisplay(
+				httpServletRequest, liferayGlobalObjectConfiguration, sb);
 			_renderLiferayUtil(sb);
 
 			_renderValue(
@@ -210,6 +219,35 @@ else if (dayIndex < monthIndex) {
 		return dateFormatPattern;
 	}
 
+	private LiferayGlobalObjectConfiguration
+		_getLiferayGlobalObjectConfiguration(
+			HttpServletRequest httpServletRequest) {
+
+		LiferayGlobalObjectConfiguration liferayGlobalObjectConfiguration;
+
+		long companyId = _portal.getCompanyId(httpServletRequest);
+
+		try {
+			liferayGlobalObjectConfiguration =
+				_configurationProvider.getCompanyConfiguration(
+					LiferayGlobalObjectConfiguration.class, companyId);
+		}
+		catch (ConfigurationException configurationException) {
+			if (_log.isWarnEnabled()) {
+				_log.warn(
+					"Using default configuration for company " + companyId,
+					configurationException);
+			}
+
+			liferayGlobalObjectConfiguration =
+				ConfigurableUtil.createConfigurable(
+					LiferayGlobalObjectConfiguration.class,
+					Collections.emptyMap());
+		}
+
+		return liferayGlobalObjectConfiguration;
+	}
+
 	private void _renderLiferayAUI(
 		HttpServletRequest httpServletRequest, StringBundler sb) {
 
@@ -499,7 +537,9 @@ private void _renderLiferayPropsValues(
 	}
 
 	private void _renderLiferayThemeDisplay(
-			HttpServletRequest httpServletRequest, StringBundler sb)
+			HttpServletRequest httpServletRequest,
+			LiferayGlobalObjectConfiguration liferayGlobalObjectConfiguration,
+			StringBundler sb)
 		throws PortalException {
 
 		sb.append("ThemeDisplay: {\n");
@@ -581,8 +621,11 @@ private void _renderLiferayThemeDisplay(
 		_renderMethod("getPlid", sb, themeDisplay.getPlid());
 		_renderMethod("getPortalURL", sb, themeDisplay.getPortalURL());
 		_renderMethod("getRealUserId", sb, themeDisplay.getRealUserId());
-		_renderMethod("getRemoteAddr", sb, themeDisplay.getRemoteAddr());
-		_renderMethod("getRemoteHost", sb, themeDisplay.getRemoteHost());
+
+		if (!liferayGlobalObjectConfiguration.disableGetRemoteMethods()) {
+			_renderMethod("getRemoteAddr", sb, themeDisplay.getRemoteAddr());
+			_renderMethod("getRemoteHost", sb, themeDisplay.getRemoteHost());
+		}
 
 		Group scopeGroup = themeDisplay.getScopeGroup();
 
@@ -751,6 +794,9 @@ else if (value instanceof String) {
 	@Reference
 	private AuthToken _authToken;
 
+	@Reference
+	private ConfigurationProvider _configurationProvider;
+
 	private final Map<Locale, String> _displayNames = new ConcurrentHashMap<>();
 
 	@Reference

modules/apps/portal-language/portal-language-lang/src/main/resources/content/Language.properties

@@ -6224,6 +6224,8 @@ disable-as-a-collection-provider-help=Disabling this as a collection provider wi
 disable-caching=Disable Caching
 disable-document-recording=Disable Document Recording
 disable-forwarding=Disable Forwarding
+disable-get-remote-methods=Disable getRemoteAddr() and getRemoteHost() methods
+disable-get-remote-methods-help=If checked, the methods getRemoteAddr() and getRemoteHost() will be undefined within the Liferay.ThemeDisplay global object. This configuration is primarily implemented to mitigate privacy risks by avoiding the exposure of client IP/host information and to optimize performance by allowing public caching of pages for unauthenticated users. Note that checking this option will make custom code that relies on these methods fail.
 disable-globally=Disable Multi-Factor Authentication
 disable-globally-description=Disable multi-factor authentication system-wide.
 disable-inheritance-confirmation=Disable Inheritance Confirmation
@@ -10783,6 +10785,7 @@ licenses-registered=Licenses Registered
 liferay=Liferay
 liferay-analytics-key=Liferay Analytics Key
 liferay-dxp-instance-has-to-be-connected-with-analytics-cloud-to-view-content-performance-metrics-and-build-a-successful-content-strategy=In order to view content performance metrics and build a successful content strategy, your Liferay DXP instance has to be connected with Liferay Analytics Cloud.
+liferay-global-object-configuration-name=Liferay Global Object
 liferay-has-failed-to-connect-to-the-ldap-server=Liferay has failed to connect to the LDAP server. Please check your configuration and verify that the LDAP server is running.
 liferay-has-failed-to-connect-to-the-opensso-server=Liferay has failed to connect to the OpenSSO server. Please check your configuration and verify that the OpenSSO server is running.
 liferay-has-failed-to-connect-to-the-opensso-services=Liferay has failed to connect to the OpenSSO services. Please verify that the OpenSSO services are running.