fix: disallow SSRF via remote $ref

Author: daniel-kmiecik

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/ResolverCache.java

@@ -21,9 +21,9 @@
 import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
 import io.swagger.v3.parser.urlresolver.exceptions.HostDeniedException;
 import io.swagger.v3.parser.util.DeserializationUtils;
+import io.swagger.v3.parser.util.OpenAPIDeserializer;
 import io.swagger.v3.parser.util.PathUtils;
 import io.swagger.v3.parser.util.RefUtils;
-import io.swagger.v3.parser.util.OpenAPIDeserializer;
 import org.apache.commons.lang3.StringUtils;
 
 import java.io.File;
@@ -72,6 +72,7 @@ public class ResolverCache {
     private Set<String> resolveValidationMessages;
     private final ParseOptions parseOptions;
     protected boolean openapi31;
+    private final PermittedUrlsChecker permittedUrlsChecker;
 
     /*
      * a map that stores original external references, and their associated renamed
@@ -94,6 +95,7 @@ public ResolverCache(OpenAPI openApi, List<AuthorizationValue> auths, String par
         this.rootPath = parentFileLocation;
         this.resolveValidationMessages = resolveValidationMessages;
         this.parseOptions = parseOptions;
+        this.permittedUrlsChecker = new PermittedUrlsChecker(parseOptions.getRemoteRefAllowList(), parseOptions.getRemoteRefBlockList());
 
         if(parentFileLocation != null) {
             if(parentFileLocation.startsWith("http") || parentFileLocation.startsWith("jar")) {
@@ -153,13 +155,13 @@ public <T> T loadRef(String ref, RefFormat refFormat, Class<T> expectedType) {
             }
 
             if(parentDirectory != null) {
-                contents = RefUtils.readExternalRef(file, refFormat, auths, parentDirectory);
+                contents = RefUtils.readExternalRef(file, refFormat, auths, parentDirectory, permittedUrlsChecker);
             }
             else if(rootPath != null && rootPath.startsWith("http")) {
-                contents = RefUtils.readExternalUrlRef(file, refFormat, auths, rootPath);
+                contents = RefUtils.readExternalUrlRef(file, refFormat, auths, rootPath, permittedUrlsChecker);
             }
             else if (rootPath != null) {
-                contents = RefUtils.readExternalClasspathRef(file, refFormat, auths, rootPath);
+                contents = RefUtils.readExternalClasspathRef(file, refFormat, auths, rootPath, permittedUrlsChecker);
 
             }
             externalFileCache.put(file, contents);
@@ -382,9 +384,6 @@ private Object getFromMap(String ref, Map map, Pattern pattern) {
 
     protected void checkUrlIsPermitted(String refSet) {
         try {
-            PermittedUrlsChecker permittedUrlsChecker = new PermittedUrlsChecker(parseOptions.getRemoteRefAllowList(),
-                    parseOptions.getRemoteRefBlockList());
-
             permittedUrlsChecker.verify(refSet);
         } catch (HostDeniedException e) {
             throw new RuntimeException(e.getMessage());

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/ReferenceVisitor.java

@@ -35,6 +35,7 @@ public class ReferenceVisitor extends AbstractVisitor {
     protected OpenAPI31Traverser openAPITraverser;
     protected Reference reference;
     protected DereferencerContext context;
+    private PermittedUrlsChecker permittedUrlsChecker;
 
     public ReferenceVisitor(
             Reference reference,
@@ -59,6 +60,8 @@ public ReferenceVisitor(
         this.visited = visited;
         this.visitedMap = visitedMap;
         this.context = context;
+        this.permittedUrlsChecker = new PermittedUrlsChecker(context.getParseOptions().getRemoteRefAllowList(),
+                context.getParseOptions().getRemoteRefBlockList());
     }
 
     public String toBaseURI(String uri) throws Exception{
@@ -193,11 +196,11 @@ public Header visitHeader(Header header){
     }
 
     @Override
-    public String readHttp(String uri, List<AuthorizationValue> auths) throws Exception {
+    public String readHttp(String uri, List<AuthorizationValue> auths, PermittedUrlsChecker permittedUrlsChecker) throws Exception {
         if(context.getParseOptions().isSafelyResolveURL()){
-            checkUrlIsPermitted(uri);
+            permittedUrlsChecker.verify(uri);
         }
-        return RemoteUrl.urlToString(uri, auths);
+        return RemoteUrl.urlToString(uri, auths, permittedUrlsChecker);
     }
 
     public<T> T resolveRef(T visiting, String ref, Class<T> clazz, BiFunction<T, ReferenceVisitor, T> traverseFunction){
@@ -313,13 +316,6 @@ public JsonNode parse(String absoluteUri, List<AuthorizationValue> auths) throws
             }
         }
 
-        return deserializeIntoTree(readURI(absoluteUri, auths));
-    }
-
-    protected void checkUrlIsPermitted(String refSet) throws HostDeniedException {
-        PermittedUrlsChecker permittedUrlsChecker = new PermittedUrlsChecker(context.getParseOptions().getRemoteRefAllowList(),
-                context.getParseOptions().getRemoteRefBlockList());
-
-        permittedUrlsChecker.verify(refSet);
+        return deserializeIntoTree(readURI(absoluteUri, auths, permittedUrlsChecker));
     }
 }

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/Visitor.java

@@ -17,6 +17,7 @@
 import io.swagger.v3.oas.models.responses.ApiResponses;
 import io.swagger.v3.oas.models.security.SecurityScheme;
 import io.swagger.v3.parser.core.models.AuthorizationValue;
+import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
 import io.swagger.v3.parser.util.ClasspathHelper;
 import io.swagger.v3.parser.util.RemoteUrl;
 import org.apache.commons.io.IOUtils;
@@ -68,18 +69,18 @@ default String readFile(String path) throws Exception {
         }
     }
 
-    default String readClasspath(String classPath) throws Exception {
+    default String readClasspath(String classPath) {
         return ClasspathHelper.loadFileFromClasspath(classPath);
     }
-    default String readHttp(String uri, List<AuthorizationValue> auths) throws Exception {
-        return RemoteUrl.urlToString(uri, auths);
+    default String readHttp(String uri, List<AuthorizationValue> auths, PermittedUrlsChecker permittedUrlsChecker) throws Exception {
+        return RemoteUrl.urlToString(uri, auths, permittedUrlsChecker);
     }
 
-    default String readURI(String absoluteUri, List<AuthorizationValue> auths) throws Exception {
+    default String readURI(String absoluteUri, List<AuthorizationValue> auths, PermittedUrlsChecker permittedUrlsChecker) throws Exception {
         URI resolved = new URI(absoluteUri);
         if (StringUtils.isNotBlank(resolved.getScheme())) {
             if (resolved.getScheme().startsWith("http")) {
-                return readHttp(absoluteUri, auths);
+                return readHttp(absoluteUri, auths, permittedUrlsChecker);
             } else if (resolved.getScheme().startsWith("file")) {
                 return readFile(resolved.getPath());
             } else if (resolved.getScheme().startsWith("classpath")) {

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/RefUtils.java

@@ -3,10 +3,8 @@
 import io.swagger.v3.parser.core.models.AuthorizationValue;
 import io.swagger.v3.parser.models.RefFormat;
 import io.swagger.v3.parser.processors.ExternalRefProcessor;
+import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
 import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang3.StringUtils;
-
-import static java.nio.charset.StandardCharsets.UTF_8;
 
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -18,6 +16,8 @@
 import java.util.List;
 import java.util.Optional;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 public class RefUtils {
 
     private static final String REFERENCE_SEPARATOR = "#/";
@@ -50,10 +50,10 @@ public static String computeDefinitionName(String ref) {
             final String[] split = plausibleName.split("\\.");
             // Fix for issue-1621 and issue-1865
             //validate number of dots
-            if(split.length > 2) {
+            if (split.length > 2) {
                 //Remove dot so ref can be interpreted as internal and relative in Swagger-Core schema class 'set$ref'
                 plausibleName = String.join("", Arrays.copyOf(split, split.length - 1));
-            }else{
+            } else {
                 plausibleName = split[0];
             }
         }
@@ -66,24 +66,26 @@ public static Optional<String> getExternalPath(String ref) {
             return Optional.empty();
         }
         return Optional.of(ref.split(REFERENCE_SEPARATOR))
-            .filter(it -> it.length == 2)
-            .map(it -> it[0])
-            .filter(it -> !it.isEmpty());
+                .filter(it -> it.length == 2)
+                .map(it -> it[0])
+                .filter(it -> !it.isEmpty());
     }
 
     public static boolean isAnExternalRefFormat(RefFormat refFormat) {
         return refFormat == RefFormat.URL || refFormat == RefFormat.RELATIVE;
     }
 
     public static RefFormat computeRefFormat(String ref) {
-        RefFormat result = RefFormat.INTERNAL;
+        RefFormat result;
         ref = mungedRef(ref);
-        if(ref.startsWith("http")||ref.startsWith("https")) {
+        if (ref.startsWith("http") || ref.startsWith("https")) {
             result = RefFormat.URL;
-        } else if(ref.startsWith(REFERENCE_SEPARATOR)) {
+        } else if (ref.startsWith(REFERENCE_SEPARATOR)) {
             result = RefFormat.INTERNAL;
-        } else if(ref.startsWith(".") || ref.startsWith("/") || ref.indexOf(REFERENCE_SEPARATOR) > 0) {
+        } else if (ref.startsWith(".") || ref.startsWith("/") || ref.indexOf(REFERENCE_SEPARATOR) > 0) {
             result = RefFormat.RELATIVE;
+        } else {
+            result = RefFormat.INTERNAL;
         }
 
         return result;
@@ -103,7 +105,7 @@ public static String mungedRef(String refString) {
 
 
     public static String readExternalUrlRef(String file, RefFormat refFormat, List<AuthorizationValue> auths,
-                                            String rootPath) {
+                                            String rootPath, PermittedUrlsChecker permittedUrlsChecker) {
 
         if (!RefUtils.isAnExternalRefFormat(refFormat)) {
             throw new RuntimeException("Ref is not external");
@@ -113,12 +115,12 @@ public static String readExternalUrlRef(String file, RefFormat refFormat, List<A
 
         try {
             if (refFormat == RefFormat.URL) {
-                result = RemoteUrl.urlToString(file, auths);
+                result = RemoteUrl.urlToString(file, auths, permittedUrlsChecker);
             } else {
                 //its assumed to be a relative ref
                 String url = buildUrl(rootPath, file);
 
-                return readExternalRef(url, RefFormat.URL, auths, null);
+                return readExternalRef(url, RefFormat.URL, auths, null, permittedUrlsChecker);
             }
         } catch (Exception e) {
             throw new RuntimeException("Unable to load " + refFormat + " ref: " + file, e);
@@ -129,7 +131,7 @@ public static String readExternalUrlRef(String file, RefFormat refFormat, List<A
     }
 
     public static String readExternalClasspathRef(String file, RefFormat refFormat, List<AuthorizationValue> auths,
-                                                  String rootPath) {
+                                                  String rootPath, PermittedUrlsChecker permittedUrlsChecker) {
 
         if (!RefUtils.isAnExternalRefFormat(refFormat)) {
             throw new RuntimeException("Ref is not external");
@@ -139,7 +141,7 @@ public static String readExternalClasspathRef(String file, RefFormat refFormat,
 
         try {
             if (refFormat == RefFormat.URL) {
-                result = RemoteUrl.urlToString(file, auths);
+                result = RemoteUrl.urlToString(file, auths, permittedUrlsChecker);
             } else {
                 //its assumed to be a relative ref
                 String pathRef = ExternalRefProcessor.join(rootPath, file);
@@ -155,24 +157,23 @@ public static String readExternalClasspathRef(String file, RefFormat refFormat,
     }
 
     public static String buildUrl(String rootPath, String relativePath) {
-      if(rootPath == null || relativePath == null) {
-          return null;
-      }
-
-      try {
-          int until = rootPath.lastIndexOf("/")+1;
-          String root = rootPath.substring(0, until);
-          URL rootUrl = new URL(root);
-          URL finalUrl = new URL(rootUrl, relativePath);
-          return finalUrl.toString();
-      }
-      catch(Exception e) {
-          throw new RuntimeException(e);
-      }
+        if (rootPath == null || relativePath == null) {
+            return null;
+        }
+
+        try {
+            int until = rootPath.lastIndexOf("/") + 1;
+            String root = rootPath.substring(0, until);
+            URL rootUrl = new URL(root);
+            URL finalUrl = new URL(rootUrl, relativePath);
+            return finalUrl.toString();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
     }
 
     public static String readExternalRef(String file, RefFormat refFormat, List<AuthorizationValue> auths,
-                                         Path parentDirectory) {
+                                         Path parentDirectory, PermittedUrlsChecker permittedUrlsChecker) {
 
         if (!RefUtils.isAnExternalRefFormat(refFormat)) {
             throw new RuntimeException("Ref is not external");
@@ -182,12 +183,12 @@ public static String readExternalRef(String file, RefFormat refFormat, List<Auth
 
         try {
             if (refFormat == RefFormat.URL) {
-                result = RemoteUrl.urlToString(file, auths);
+                result = RemoteUrl.urlToString(file, auths, permittedUrlsChecker);
             } else {
                 //its assumed to be a relative file ref
                 final Path pathToUse = parentDirectory.resolve(file).normalize();
 
-                if(Files.exists(pathToUse)) {
+                if (Files.exists(pathToUse)) {
                     result = readAll(pathToUse);
                 } else {
                     String url = file;
@@ -206,18 +207,18 @@ public static String readExternalRef(String file, RefFormat refFormat, List<Auth
                     }
                     final Path pathToUse2 = parentDirectory.resolve(url).normalize();
 
-                    if(Files.exists(pathToUse2)) {
+                    if (Files.exists(pathToUse2)) {
                         result = readAll(pathToUse2);
                     }
                 }
-                if (result == null){
+                if (result == null) {
                     result = ClasspathHelper.loadFileFromClasspath(file);
                 }
 
 
             }
         } catch (Exception e) {
-            throw new RuntimeException("Unable to load " + refFormat + " ref: " + file + " path: "+parentDirectory, e);
+            throw new RuntimeException("Unable to load " + refFormat + " ref: " + file + " path: " + parentDirectory, e);
         }
 
         return result;