Skip to content

fix: disallow SSRF via remote $ref #2224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 1, 2025
Merged

fix: disallow SSRF via remote $ref #2224

merged 3 commits into from
Sep 1, 2025

Conversation

@daniel-kmiecik
Copy link
Contributor

@daniel-kmiecik daniel-kmiecik commented Aug 27, 2025
edited
Loading

The current implementation of the URL validation logic bypasses the security controls of setSafelyResolveURL when an HTTP redirect is encountered. This allows a malicious OpenAPI specification to force the validator's host to connect to internal network resources, creating a significant security risk. This is a fix for this securrity issue.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 27, 2025
View reviewed changes
modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/RemoteUrl.java
if (connection instanceof HttpsURLConnection) {
final HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
httpsConnection.setSSLSocketFactory(sf);
httpsConnection.setHostnameVerifier(trustAllNames);

Check warning

Code scanning / CodeQL

Unsafe hostname verification Medium

The
hostname verifier
Loading
defined by
this type
Loading
always accepts any certificate, even if the hostname does not match.

Copilot Autofix

AI 3 months ago

The best way to fix the problem is to remove the insecure HostnameVerifier that returns true and instead use the default hostname verifier provided by the JVM, ensuring proper hostname validation. If you must customize the verifier, it should fully validate the hostname according to RFC 2818 and relevant standards (e.g., by using Java's built-in HttpsURLConnection.getDefaultHostnameVerifier()).

In RemoteUrl.java:

  • Remove or replace the trustAllNames verifier.
  • Use HttpsURLConnection.getDefaultHostnameVerifier() when configuring HTTPS connections, even if the TRUST_ALL system property is set.
  • If certificate trust needs to be loosened for particular use-cases (testing), this should not disable hostname verification.
  • The actual code change is in the block that configures HttpsURLConnection in createConnectionConfigurator() to avoid the insecure verifier.

No changes are required in RemoteUrlTest.java, as the test logic does not reference custom hostname verifiers directly.

Suggested changeset 1
modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/RemoteUrl.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/RemoteUrl.java b/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/RemoteUrl.java
--- a/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/RemoteUrl.java
+++ b/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/RemoteUrl.java
@@ -67,14 +67,14 @@
                 sc.init(null, trustAllCerts, new java.security.SecureRandom());
                 final SSLSocketFactory sf = sc.getSocketFactory();
 
-                // Create all-trusting host name verifier
-                final HostnameVerifier trustAllNames = (hostname, session) -> true;
+                // Use JVM default HostnameVerifier to ensure hostnames are properly validated
+                final HostnameVerifier defaultHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier();
 
                 return connection -> {
                     if (connection instanceof HttpsURLConnection) {
                         final HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
                         httpsConnection.setSSLSocketFactory(sf);
-                        httpsConnection.setHostnameVerifier(trustAllNames);
+                        httpsConnection.setHostnameVerifier(defaultHostnameVerifier);
                         httpsConnection.setConnectTimeout(CONNECTION_TIMEOUT);
                         httpsConnection.setReadTimeout(READ_TIMEOUT);
                         httpsConnection.setInstanceFollowRedirects(false);
EOF
@@ -67,14 +67,14 @@
sc.init(null, trustAllCerts, new java.security.SecureRandom());
final SSLSocketFactory sf = sc.getSocketFactory();

// Create all-trusting host name verifier
final HostnameVerifier trustAllNames = (hostname, session) -> true;
// Use JVM default HostnameVerifier to ensure hostnames are properly validated
final HostnameVerifier defaultHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier();

return connection -> {
if (connection instanceof HttpsURLConnection) {
final HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
httpsConnection.setSSLSocketFactory(sf);
httpsConnection.setHostnameVerifier(trustAllNames);
httpsConnection.setHostnameVerifier(defaultHostnameVerifier);
httpsConnection.setConnectTimeout(CONNECTION_TIMEOUT);
httpsConnection.setReadTimeout(READ_TIMEOUT);
httpsConnection.setInstanceFollowRedirects(false);
Copilot is powered by AI and may make mistakes. Always verify output.
ewaostrowska
ewaostrowska requested changes Aug 29, 2025
View reviewed changes
@ewaostrowska ewaostrowska self-requested a review September 1, 2025 06:21
@ewaostrowska
Copy link
Contributor

ewaostrowska commented Sep 1, 2025

Looks good :)

Copilot AI reviewed Sep 1, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements security measures to prevent Server-Side Request Forgery (SSRF) attacks via remote $ref in the Swagger parser by introducing URL validation and restricting access to potentially dangerous network locations.

Key changes:

  • Adds PermittedUrlsChecker functionality to validate URLs before making remote requests
  • Implements redirect limits and protocol validation to prevent abuse
  • Updates test infrastructure to support HTTPS and handle URL security checks

Reviewed Changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
pom.xml Removes commented dependencies and adds system property for testing
RemoteUrl.java Refactors URL handling with redirect limits, security checks, and improved error handling
RefUtils.java Updates method signatures to include PermittedUrlsChecker parameter
Multiple test files Updates tests to use HTTPS, adds security validation, and improves test structure
PermittedUrlsCheckerAllowLocal.java New test utility class to allow local connections during testing

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@daniel-kmiecik daniel-kmiecik merged commit 5dc2aae into master Sep 1, 2025
5 checks passed
@daniel-kmiecik daniel-kmiecik deleted the bug-bounty-fix-redirections branch September 1, 2025 14:00
@rootxjs
Copy link

rootxjs commented Sep 25, 2025
edited
Loading

Fixes #2206

@daniel-kmiecik
Copy link
Contributor Author

daniel-kmiecik commented Sep 25, 2025

@rootxjs, thank you for bringing this to our attention! I am closing the issue :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@djankows djankows djankows approved these changes

@ewaostrowska ewaostrowska ewaostrowska approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@daniel-kmiecik @ewaostrowska @rootxjs @djankows