Sandboxed URL creation to prevent SSRF attacks

modules/openapi-generator-maven-plugin/src/main/java/org/openapitools/codegen/plugin/CodeGenMojo.java

@@ -19,6 +19,8 @@
 
 import com.google.common.hash.Hashing;
 import com.google.common.io.Files;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import io.swagger.parser.OpenAPIParser;
 import io.swagger.v3.core.util.Json;
 import io.swagger.v3.core.util.Yaml;
@@ -1037,7 +1039,7 @@ private ClassLoader dependencyClassLoader() {
         for (Artifact artifact : project.getArtifacts()) {
             try {
                 if (artifact.isResolved() && artifact.getType().equals("jar")) {
-                    list.add(new URL("jar:" + artifact.getFile().toURI() + "!/"));
+                    list.add(Urls.create("jar:" + artifact.getFile().toURI() + "!/", Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS));
                 }
             } catch (Exception e) {
             }

modules/openapi-generator/pom.xml

@@ -459,6 +459,10 @@
             <artifactId>lombok</artifactId>
             <version>${lombok.version}</version>
         </dependency>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
     </dependencies>
     <repositories>
         <repository>

modules/openapi-generator/src/main/java/org/openapitools/codegen/utils/URLPathUtils.java

@@ -17,6 +17,8 @@
 
 package org.openapitools.codegen.utils;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.oas.models.servers.Server;
 import io.swagger.v3.oas.models.servers.ServerVariable;
@@ -65,7 +67,7 @@ public static URL getServerURL(final Server server, final Map<String, String> us
             url = sanitizeUrl(url);
 
             try {
-                return new URL(url);
+                return Urls.create(url, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
             } catch (MalformedURLException e) {
                 once(LOGGER).warn("Not valid URL: {}. Default to {}.", server.getUrl(), LOCAL_HOST);
             }

pom.xml

@@ -1198,6 +1198,11 @@
                 <version>${testng.version}</version>
                 <scope>test</scope>
             </dependency>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <repositories>
@@ -1254,5 +1259,6 @@
         <wagon-ssh-external.version>3.4.3</wagon-ssh-external.version>
         <wagon-svn.version>1.12</wagon-svn.version>
         <wagon-webdav.version>1.0-beta-2</wagon-webdav.version>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
     </properties>
 </project>

samples/client/petstore/java-micronaut-client/.mvn/wrapper/MavenWrapperDownloader.java

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -112,7 +114,7 @@ protected PasswordAuthentication getPasswordAuthentication() {
                 }
             });
         }
-        URL website = new URL(urlString);
+        URL website = Urls.create(urlString, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
         ReadableByteChannel rbc;
         rbc = Channels.newChannel(website.openStream());
         FileOutputStream fos = new FileOutputStream(destination);

samples/client/petstore/java-micronaut-client/pom.xml

@@ -22,6 +22,7 @@
         <micronaut.version>3.4.3</micronaut.version>
         <exec.mainClass>org.openapitools.Application</exec.mainClass>
         <micronaut.runtime>netty</micronaut.runtime>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
     </properties>
 
     <repositories>
@@ -170,5 +171,19 @@
             </plugin>
         </plugins>
     </build>
-
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <dependencies>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
+    </dependencies>
 </project>

samples/server/petstore/java-micronaut-server/.mvn/wrapper/MavenWrapperDownloader.java

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -112,7 +114,7 @@ protected PasswordAuthentication getPasswordAuthentication() {
                 }
             });
         }
-        URL website = new URL(urlString);
+        URL website = Urls.create(urlString, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
         ReadableByteChannel rbc;
         rbc = Channels.newChannel(website.openStream());
         FileOutputStream fos = new FileOutputStream(destination);

samples/server/petstore/java-micronaut-server/pom.xml

@@ -23,6 +23,7 @@
         <exec.mainClass>org.openapitools.Application</exec.mainClass>
         <micronaut.runtime>netty</micronaut.runtime>
         <swagger-annotations-version>2.2.7</swagger-annotations-version>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
     </properties>
 
     <repositories>
@@ -156,5 +157,19 @@
             </plugin>
         </plugins>
     </build>
-
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <dependencies>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
+    </dependencies>
 </project>

samples/server/petstore/java-play-framework-api-package-override/app/openapitools/SecurityAPIUtils.java

@@ -11,6 +11,8 @@
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import com.typesafe.config.Config;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
@@ -119,7 +121,7 @@ public boolean isTokenValidByOfflineCheck(String bearerToken, String securityMet
                     securityMethodName = optionalSecurityMethodName.get();
                 }
 
-                Jwk jwk = new UrlJwkProvider(new URL(this.jwksEndpoints.get(securityMethodName))).get(keyId);
+                Jwk jwk = new UrlJwkProvider(Urls.create(this.jwksEndpoints.get(securityMethodName), Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS)).get(keyId);
                 final PublicKey publicKey = jwk.getPublicKey();
 
                 if (!(publicKey instanceof RSAPublicKey)) {

samples/server/petstore/java-play-framework-api-package-override/pom.xml

@@ -43,4 +43,22 @@
             </plugin>
         </plugins>
     </build>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <properties>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
+    </dependencies>
 </project>

samples/server/petstore/java-play-framework-async/app/openapitools/SecurityAPIUtils.java

@@ -11,6 +11,8 @@
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import com.typesafe.config.Config;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
@@ -119,7 +121,7 @@ public boolean isTokenValidByOfflineCheck(String bearerToken, String securityMet
                     securityMethodName = optionalSecurityMethodName.get();
                 }
 
-                Jwk jwk = new UrlJwkProvider(new URL(this.jwksEndpoints.get(securityMethodName))).get(keyId);
+                Jwk jwk = new UrlJwkProvider(Urls.create(this.jwksEndpoints.get(securityMethodName), Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS)).get(keyId);
                 final PublicKey publicKey = jwk.getPublicKey();
 
                 if (!(publicKey instanceof RSAPublicKey)) {

samples/server/petstore/java-play-framework-async/pom.xml

@@ -43,4 +43,22 @@
             </plugin>
         </plugins>
     </build>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <properties>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
+    </dependencies>
 </project>

samples/server/petstore/java-play-framework-controller-only/app/openapitools/SecurityAPIUtils.java

@@ -11,6 +11,8 @@
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import com.typesafe.config.Config;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
@@ -119,7 +121,7 @@ public boolean isTokenValidByOfflineCheck(String bearerToken, String securityMet
                     securityMethodName = optionalSecurityMethodName.get();
                 }
 
-                Jwk jwk = new UrlJwkProvider(new URL(this.jwksEndpoints.get(securityMethodName))).get(keyId);
+                Jwk jwk = new UrlJwkProvider(Urls.create(this.jwksEndpoints.get(securityMethodName), Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS)).get(keyId);
                 final PublicKey publicKey = jwk.getPublicKey();
 
                 if (!(publicKey instanceof RSAPublicKey)) {

samples/server/petstore/java-play-framework-controller-only/pom.xml

@@ -43,4 +43,22 @@
             </plugin>
         </plugins>
     </build>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <properties>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
+    </dependencies>
 </project>

samples/server/petstore/java-play-framework-fake-endpoints-with-security/app/openapitools/SecurityAPIUtils.java

@@ -11,6 +11,8 @@
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import com.typesafe.config.Config;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
@@ -119,7 +121,7 @@ public boolean isTokenValidByOfflineCheck(String bearerToken, String securityMet
                     securityMethodName = optionalSecurityMethodName.get();
                 }
 
-                Jwk jwk = new UrlJwkProvider(new URL(this.jwksEndpoints.get(securityMethodName))).get(keyId);
+                Jwk jwk = new UrlJwkProvider(Urls.create(this.jwksEndpoints.get(securityMethodName), Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS)).get(keyId);
                 final PublicKey publicKey = jwk.getPublicKey();
 
                 if (!(publicKey instanceof RSAPublicKey)) {

samples/server/petstore/java-play-framework-fake-endpoints-with-security/pom.xml

@@ -43,4 +43,22 @@
             </plugin>
         </plugins>
     </build>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <properties>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
+    </dependencies>
 </project>

samples/server/petstore/java-play-framework-fake-endpoints/app/openapitools/SecurityAPIUtils.java

@@ -11,6 +11,8 @@
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import com.typesafe.config.Config;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
@@ -119,7 +121,7 @@ public boolean isTokenValidByOfflineCheck(String bearerToken, String securityMet
                     securityMethodName = optionalSecurityMethodName.get();
                 }
 
-                Jwk jwk = new UrlJwkProvider(new URL(this.jwksEndpoints.get(securityMethodName))).get(keyId);
+                Jwk jwk = new UrlJwkProvider(Urls.create(this.jwksEndpoints.get(securityMethodName), Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS)).get(keyId);
                 final PublicKey publicKey = jwk.getPublicKey();
 
                 if (!(publicKey instanceof RSAPublicKey)) {

samples/server/petstore/java-play-framework-fake-endpoints/pom.xml

@@ -43,4 +43,22 @@
             </plugin>
         </plugins>
     </build>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <properties>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
+    </dependencies>
 </project>

samples/server/petstore/java-play-framework-no-bean-validation/app/openapitools/SecurityAPIUtils.java

@@ -11,6 +11,8 @@
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import com.typesafe.config.Config;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
@@ -119,7 +121,7 @@ public boolean isTokenValidByOfflineCheck(String bearerToken, String securityMet
                     securityMethodName = optionalSecurityMethodName.get();
                 }
 
-                Jwk jwk = new UrlJwkProvider(new URL(this.jwksEndpoints.get(securityMethodName))).get(keyId);
+                Jwk jwk = new UrlJwkProvider(Urls.create(this.jwksEndpoints.get(securityMethodName), Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS)).get(keyId);
                 final PublicKey publicKey = jwk.getPublicKey();
 
                 if (!(publicKey instanceof RSAPublicKey)) {