fix: disallow SSRF via remote $ref

[daniel-kmiecik]

The current implementation of the URL validation logic bypasses the security controls of setSafelyResolveURL when an HTTP redirect is encountered. This allows a malicious OpenAPI specification to force the validator's host to connect to internal network resources, creating a significant security risk. This is a fix for this securrity issue.

[ewaostrowska]

Looks good :)

[Copilot]

Pull Request Overview

This PR implements security measures to prevent Server-Side Request Forgery (SSRF) attacks via remote $ref in the Swagger parser by introducing URL validation and restricting access to potentially dangerous network locations.

Key changes:

• Adds PermittedUrlsChecker functionality to validate URLs before making remote requests
• Implements redirect limits and protocol validation to prevent abuse
• Updates test infrastructure to support HTTPS and handle URL security checks

Reviewed Changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pom.xml	Removes commented dependencies and adds system property for testing
RemoteUrl.java	Refactors URL handling with redirect limits, security checks, and improved error handling
RefUtils.java	Updates method signatures to include PermittedUrlsChecker parameter
Multiple test files	Updates tests to use HTTPS, adds security validation, and improves test structure
PermittedUrlsCheckerAllowLocal.java	New test utility class to allow local connections during testing

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[rootxjs]

Fixes #2206

[daniel-kmiecik]

@rootxjs, thank you for bringing this to our attention! I am closing the issue :)