Fixing regex bypass issue (#4336)

* Fixing regex bypass issue

Signed-off-by: zane-neo <zaniu@amazon.com>

* fix failure ITs

Signed-off-by: zane-neo <zaniu@amazon.com>

* Change connector private ip enabled to boolean type

Signed-off-by: zane-neo <zaniu@amazon.com>

* fix dependency version conflict issue

Signed-off-by: zane-neo <zaniu@amazon.com>

---------

Signed-off-by: zane-neo <zaniu@amazon.com>

Author: zane-neo

common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java

@@ -5,15 +5,9 @@
 
 package org.opensearch.ml.common.httpclient;
 
-import java.net.Inet4Address;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.time.Duration;
-import java.util.Arrays;
-import java.util.Locale;
-import java.util.concurrent.atomic.AtomicBoolean;
+import static org.opensearch.secure_sm.AccessController.doPrivileged;
 
-import org.opensearch.common.util.concurrent.ThreadContextAccess;
+import java.time.Duration;
 
 import lombok.extern.log4j.Log4j2;
 import software.amazon.awssdk.http.async.SdkAsyncHttpClient;
@@ -22,79 +16,27 @@
 @Log4j2
 public class MLHttpClientFactory {
 
-    public static SdkAsyncHttpClient getAsyncHttpClient(Duration connectionTimeout, Duration readTimeout, int maxConnections) {
-        return ThreadContextAccess
-            .doPrivileged(
-                () -> NettyNioAsyncHttpClient
-                    .builder()
-                    .connectionTimeout(connectionTimeout)
-                    .readTimeout(readTimeout)
-                    .maxConcurrency(maxConnections)
-                    .build()
-            );
-    }
-
-    /**
-     * Validate the input parameters, such as protocol, host and port.
-     * @param protocol The protocol supported in remote inference, currently only http and https are supported.
-     * @param host The host name of the remote inference server, host must be a valid ip address or domain name and must not be localhost.
-     * @param port The port number of the remote inference server, port number must be in range [0, 65536].
-     * @param connectorPrivateIpEnabled The port number of the remote inference server, port number must be in range [0, 65536].
-     * @throws UnknownHostException Allow to use private IP or not.
-     */
-    public static void validate(String protocol, String host, int port, AtomicBoolean connectorPrivateIpEnabled)
-        throws UnknownHostException {
-        if (protocol != null && !"http".equalsIgnoreCase(protocol) && !"https".equalsIgnoreCase(protocol)) {
-            log.error("Remote inference protocol is not http or https: {}", protocol);
-            throw new IllegalArgumentException("Protocol is not http or https: " + protocol);
-        }
-        // When port is not specified, the default port is -1, and we need to set it to 80 or 443 based on protocol.
-        if (port == -1) {
-            if (protocol == null || "http".equals(protocol.toLowerCase(Locale.getDefault()))) {
-                port = 80;
-            } else {
-                port = 443;
-            }
-        }
-        if (port < 0 || port > 65536) {
-            log.error("Remote inference port out of range: {}", port);
-            throw new IllegalArgumentException("Port out of range: " + port);
-        }
-        validateIp(host, connectorPrivateIpEnabled);
-    }
-
-    private static void validateIp(String hostName, AtomicBoolean connectorPrivateIpEnabled) throws UnknownHostException {
-        InetAddress[] addresses = InetAddress.getAllByName(hostName);
-        if ((connectorPrivateIpEnabled == null || !connectorPrivateIpEnabled.get()) && hasPrivateIpAddress(addresses)) {
-            log.error("Remote inference host name has private ip address: {}", hostName);
-            throw new IllegalArgumentException("Remote inference host name has private ip address: " + hostName);
-        }
-    }
-
-    private static boolean hasPrivateIpAddress(InetAddress[] ipAddress) {
-        for (InetAddress ip : ipAddress) {
-            if (ip instanceof Inet4Address) {
-                byte[] bytes = ip.getAddress();
-                if (bytes.length != 4) {
-                    return true;
-                } else {
-                    if (isPrivateIPv4(bytes)) {
-                        return true;
-                    }
-                }
-            }
-        }
-        return Arrays.stream(ipAddress).anyMatch(x -> x.isSiteLocalAddress() || x.isLoopbackAddress() || x.isAnyLocalAddress());
-    }
-
-    private static boolean isPrivateIPv4(byte[] bytes) {
-        int first = bytes[0] & 0xff;
-        int second = bytes[1] & 0xff;
-
-        // 127.0.0.1, 10.x.x.x, 172.16-31.x.x, 192.168.x.x, 169.254.x.x
-        return (first == 10)
-            || (first == 172 && second >= 16 && second <= 31)
-            || (first == 192 && second == 168)
-            || (first == 169 && second == 254);
+    public static SdkAsyncHttpClient getAsyncHttpClient(
+        Duration connectionTimeout,
+        Duration readTimeout,
+        int maxConnections,
+        boolean connectorPrivateIpEnabled
+    ) {
+        return doPrivileged(() -> {
+            log
+                .debug(
+                    "Creating MLHttpClient with connectionTimeout: {}, readTimeout: {}, maxConnections: {}",
+                    connectionTimeout,
+                    readTimeout,
+                    maxConnections
+                );
+            SdkAsyncHttpClient delegate = NettyNioAsyncHttpClient
+                .builder()
+                .connectionTimeout(connectionTimeout)
+                .readTimeout(readTimeout)
+                .maxConcurrency(maxConnections)
+                .build();
+            return new MLValidatableAsyncHttpClient(delegate, connectorPrivateIpEnabled);
+        });
     }
 }

common/src/main/java/org/opensearch/ml/common/httpclient/MLValidatableAsyncHttpClient.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.ml.common.httpclient;
+
+import java.net.Inet4Address;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.concurrent.CompletableFuture;
+
+import lombok.extern.log4j.Log4j2;
+import software.amazon.awssdk.http.async.AsyncExecuteRequest;
+import software.amazon.awssdk.http.async.SdkAsyncHttpClient;
+
+@Log4j2
+public class MLValidatableAsyncHttpClient implements SdkAsyncHttpClient {
+    private final SdkAsyncHttpClient delegate;
+    private final boolean connectorPrivateIpEnabled;
+
+    protected MLValidatableAsyncHttpClient(SdkAsyncHttpClient client, boolean connectorPrivateIpEnabled) {
+        this.delegate = client;
+        this.connectorPrivateIpEnabled = connectorPrivateIpEnabled;
+    }
+
+    @Override
+    public CompletableFuture<Void> execute(AsyncExecuteRequest request) {
+        String protocol = request.request().protocol();
+        String host = request.request().host();
+        int port = request.request().port();
+        try {
+            validate(protocol, host, port, connectorPrivateIpEnabled);
+            return delegate.execute(request);
+        } catch (Exception e) {
+            log.error("Failed to validate request!", e);
+            throw new IllegalArgumentException(e.getMessage(), e);
+        }
+    }
+
+    @Override
+    public void close() {
+        delegate.close();
+    }
+
+    /**
+     * Validate the input parameters, such as protocol, host and port.
+     * @param protocol The protocol supported in remote inference, currently only http and https are supported.
+     * @param host The host name of the remote inference server, host must be a valid ip address or domain name and must not be localhost.
+     * @param port The port number of the remote inference server, port number must be in range [0, 65536].
+     * @param connectorPrivateIpEnabled The port number of the remote inference server, port number must be in range [0, 65536].
+     * @throws UnknownHostException Allow to use private IP or not.
+     */
+    public void validate(String protocol, String host, int port, boolean connectorPrivateIpEnabled) throws UnknownHostException {
+        if (protocol != null && !"http".equalsIgnoreCase(protocol) && !"https".equalsIgnoreCase(protocol)) {
+            log.error("Remote inference protocol is not http or https: {}", protocol);
+            throw new IllegalArgumentException("Protocol is not http or https: " + protocol);
+        }
+        // When port is not specified, the default port is -1, and we need to set it to 80 or 443 based on protocol.
+        if (port == -1) {
+            if (protocol == null || "http".equals(protocol.toLowerCase(Locale.getDefault()))) {
+                port = 80;
+            } else {
+                port = 443;
+            }
+        }
+        if (port < 0 || port > 65536) {
+            log.error("Remote inference port out of range: {}", port);
+            throw new IllegalArgumentException("Port out of range: " + port);
+        }
+        validateIp(host, connectorPrivateIpEnabled);
+    }
+
+    private void validateIp(String hostName, boolean connectorPrivateIpEnabled) throws UnknownHostException {
+        InetAddress[] addresses = InetAddress.getAllByName(hostName);
+        if (!connectorPrivateIpEnabled && hasPrivateIpAddress(addresses)) {
+            log.error("Remote inference host name has private ip address: {}", hostName);
+            throw new IllegalArgumentException("Remote inference host name has private ip address: " + hostName);
+        }
+    }
+
+    private boolean hasPrivateIpAddress(InetAddress[] ipAddress) {
+        for (InetAddress ip : ipAddress) {
+            if (ip instanceof Inet4Address) {
+                byte[] bytes = ip.getAddress();
+                if (bytes.length != 4) {
+                    return true;
+                } else {
+                    if (isPrivateIPv4(bytes)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return Arrays.stream(ipAddress).anyMatch(x -> x.isSiteLocalAddress() || x.isLoopbackAddress() || x.isAnyLocalAddress());
+    }
+
+    private boolean isPrivateIPv4(byte[] bytes) {
+        int first = bytes[0] & 0xff;
+        int second = bytes[1] & 0xff;
+
+        // 127.0.0.1, 10.x.x.x, 172.16-31.x.x, 192.168.x.x, 169.254.x.x
+        return (first == 10)
+            || (first == 172 && second >= 16 && second <= 31)
+            || (first == 192 && second == 168)
+            || (first == 169 && second == 254);
+    }
+}

common/src/main/java/org/opensearch/ml/common/settings/MLFeatureEnabledSetting.java

@@ -25,7 +25,6 @@
 
 import java.util.ArrayList;
 import java.util.List;
-import java.util.concurrent.atomic.AtomicBoolean;
 
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Settings;
@@ -38,7 +37,7 @@ public class MLFeatureEnabledSetting {
     private volatile Boolean isAgentFrameworkEnabled;
 
     private volatile Boolean isLocalModelEnabled;
-    private volatile AtomicBoolean isConnectorPrivateIpEnabled;
+    private volatile Boolean isConnectorPrivateIpEnabled;
 
     private volatile Boolean isControllerEnabled;
     private volatile Boolean isBatchIngestionEnabled;
@@ -70,7 +69,7 @@ public MLFeatureEnabledSetting(ClusterService clusterService, Settings settings)
         isRemoteInferenceEnabled = ML_COMMONS_REMOTE_INFERENCE_ENABLED.get(settings);
         isAgentFrameworkEnabled = ML_COMMONS_AGENT_FRAMEWORK_ENABLED.get(settings);
         isLocalModelEnabled = ML_COMMONS_LOCAL_MODEL_ENABLED.get(settings);
-        isConnectorPrivateIpEnabled = new AtomicBoolean(ML_COMMONS_CONNECTOR_PRIVATE_IP_ENABLED.get(settings));
+        isConnectorPrivateIpEnabled = ML_COMMONS_CONNECTOR_PRIVATE_IP_ENABLED.get(settings);
         isControllerEnabled = ML_COMMONS_CONTROLLER_ENABLED.get(settings);
         isBatchIngestionEnabled = ML_COMMONS_OFFLINE_BATCH_INGESTION_ENABLED.get(settings);
         isBatchInferenceEnabled = ML_COMMONS_OFFLINE_BATCH_INFERENCE_ENABLED.get(settings);
@@ -94,7 +93,7 @@ public MLFeatureEnabledSetting(ClusterService clusterService, Settings settings)
         clusterService.getClusterSettings().addSettingsUpdateConsumer(ML_COMMONS_LOCAL_MODEL_ENABLED, it -> isLocalModelEnabled = it);
         clusterService
             .getClusterSettings()
-            .addSettingsUpdateConsumer(ML_COMMONS_CONNECTOR_PRIVATE_IP_ENABLED, it -> isConnectorPrivateIpEnabled.set(it));
+            .addSettingsUpdateConsumer(ML_COMMONS_CONNECTOR_PRIVATE_IP_ENABLED, it -> isConnectorPrivateIpEnabled = it);
         clusterService.getClusterSettings().addSettingsUpdateConsumer(ML_COMMONS_CONTROLLER_ENABLED, it -> isControllerEnabled = it);
         clusterService
             .getClusterSettings()
@@ -145,7 +144,7 @@ public boolean isLocalModelEnabled() {
         return isLocalModelEnabled;
     }
 
-    public AtomicBoolean isConnectorPrivateIpEnabled() {
+    public boolean isConnectorPrivateIpEnabled() {
         return isConnectorPrivateIpEnabled;
     }