fix: after review

Author: daniel-kmiecik

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/ReferenceVisitor.java

@@ -15,7 +15,6 @@
 import io.swagger.v3.oas.models.security.SecurityScheme;
 import io.swagger.v3.parser.core.models.AuthorizationValue;
 import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
-import io.swagger.v3.parser.urlresolver.exceptions.HostDeniedException;
 import io.swagger.v3.parser.util.RemoteUrl;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.LoggerFactory;
@@ -86,7 +85,7 @@ public Reference toReference(String uri) throws Exception{
         return ref;
     }
 
-    public Reference toSchemaReference(String baseUri, JsonNode node) throws Exception{
+    public Reference toSchemaReference(String baseUri, JsonNode node) {
         Map<String, Reference> referenceSet = this.reference.getReferenceSet();
         if (referenceSet.containsKey(baseUri)) {
             return referenceSet.get(baseUri);
@@ -199,17 +198,18 @@ public Header visitHeader(Header header){
     public String readHttp(String uri, List<AuthorizationValue> auths, PermittedUrlsChecker permittedUrlsChecker) throws Exception {
         if(context.getParseOptions().isSafelyResolveURL()){
             permittedUrlsChecker.verify(uri);
+            return RemoteUrl.urlToString(uri, auths, permittedUrlsChecker);
         }
-        return RemoteUrl.urlToString(uri, auths, permittedUrlsChecker);
+        return RemoteUrl.urlToString(uri, auths);
     }
 
     public<T> T resolveRef(T visiting, String ref, Class<T> clazz, BiFunction<T, ReferenceVisitor, T> traverseFunction){
         try {
-            Reference reference = toReference(ref);
+            Reference referenceObject = toReference(ref);
             String fragment = ReferenceUtils.getFragment(ref);
-            JsonNode node = ReferenceUtils.jsonPointerEvaluate(fragment, reference.getJsonNode(), ref);
-            T resolved = openAPITraverser.deserializeFragment(node, clazz, ref, fragment, reference.getMessages());
-            ReferenceVisitor visitor = new ReferenceVisitor(reference, openAPITraverser, this.visited, this.visitedMap, context);
+            JsonNode node = ReferenceUtils.jsonPointerEvaluate(fragment, referenceObject.getJsonNode(), ref);
+            T resolved = openAPITraverser.deserializeFragment(node, clazz, ref, fragment, referenceObject.getMessages());
+            ReferenceVisitor visitor = new ReferenceVisitor(referenceObject, openAPITraverser, this.visited, this.visitedMap, context);
             return traverseFunction.apply(resolved, visitor);
 
         } catch (Exception e) {
@@ -229,39 +229,39 @@ public Schema resolveSchemaRef(Schema visiting, String ref, List<String> inherit
             }
             baseURI = ReferenceUtils.resolve(ref, baseURI);
             baseURI = ReferenceUtils.toBaseURI(baseURI);
-            Reference reference = null;
+            Reference referenceObject;
             boolean isAnchor = false;
             if (this.reference.getReferenceSet().containsKey(baseURI)) {
-                reference = this.reference.getReferenceSet().get(baseURI);
+                referenceObject = this.reference.getReferenceSet().get(baseURI);
             }
             else {
-                JsonNode node = null;
+                JsonNode node;
                 try {
                     node = parse(baseURI, this.reference.getAuths());
                 } catch (Exception e) {
                     // we can not parse, try ref
                     baseURI = toBaseURI(ref);
                     node = parse(baseURI, this.reference.getAuths());
                 }
-                reference = toSchemaReference(baseURI, node);
+                referenceObject = toSchemaReference(baseURI, node);
             }
             String fragment = ReferenceUtils.getFragment(ref);
-            JsonNode evaluatedNode = null;
+            JsonNode evaluatedNode;
             try {
-                evaluatedNode = ReferenceUtils.jsonPointerEvaluate(fragment, reference.getJsonNode(), ref);
+                evaluatedNode = ReferenceUtils.jsonPointerEvaluate(fragment, referenceObject.getJsonNode(), ref);
             } catch (RuntimeException e) {
                 // maybe anchor
-                evaluatedNode = findAnchor(reference.getJsonNode(), fragment);
+                evaluatedNode = findAnchor(referenceObject.getJsonNode(), fragment);
                 if (evaluatedNode == null) {
                     throw new RuntimeException("Could not find " + fragment + " in contents of " + ref);
                 }
                 isAnchor = true;
             }
-            Schema resolved = openAPITraverser.deserializeFragment(evaluatedNode, Schema.class, ref, fragment, reference.getMessages());
+            Schema resolved = openAPITraverser.deserializeFragment(evaluatedNode, Schema.class, ref, fragment, referenceObject.getMessages());
             if (isAnchor) {
                 resolved.$anchor(null);
             }
-            ReferenceVisitor visitor = new ReferenceVisitor(reference, openAPITraverser, this.visited, this.visitedMap, context);
+            ReferenceVisitor visitor = new ReferenceVisitor(referenceObject, openAPITraverser, this.visited, this.visitedMap, context);
             return openAPITraverser.traverseSchema(resolved, visitor, inheritedIds);
         } catch (Exception e) {
             LOGGER.error("Error resolving schema " + ref, e);

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/RemoteUrl.java

@@ -84,13 +84,9 @@ public void checkServerTrusted(X509Certificate[] certs, String authType) {
                 LOGGER.error("Not Supported", e);
             }
         }
-        return new ConnectionConfigurator() {
-
-            @Override
-            public void process(URLConnection connection) {
-                connection.setConnectTimeout(CONNECTION_TIMEOUT);
-                connection.setReadTimeout(READ_TIMEOUT);
-            }
+        return connection -> {
+            connection.setConnectTimeout(CONNECTION_TIMEOUT);
+            connection.setReadTimeout(READ_TIMEOUT);
         };
     }
 
@@ -121,17 +117,7 @@ public static String urlToString(String url, List<AuthorizationValue> auths, Per
                 final URL inUrl = new URL(cleanUrl(url));
                 final List<AuthorizationValue> query = new ArrayList<>();
                 final List<AuthorizationValue> header = new ArrayList<>();
-                if (auths != null && !auths.isEmpty()) {
-                    for (AuthorizationValue auth : auths) {
-                        if (auth.getUrlMatcher() != null && auth.getUrlMatcher().test(inUrl)) {
-                            if ("query".equals(auth.getType())) {
-                                appendValue(inUrl, auth, query);
-                            } else if ("header".equals(auth.getType())) {
-                                appendValue(inUrl, auth, header);
-                            }
-                        }
-                    }
-                }
+                filterAndAssignAuthValues(auths, inUrl, query, header);
                 conn = prepareConnection(query, inUrl);
                 CONNECTION_CONFIGURATOR.process(conn);
                 setRequestHeaders(header, conn);
@@ -161,6 +147,20 @@ public static String urlToString(String url, List<AuthorizationValue> auths, Per
         }
     }
 
+    private static void filterAndAssignAuthValues(List<AuthorizationValue> auths, URL inUrl, List<AuthorizationValue> query, List<AuthorizationValue> header) {
+        if (auths != null && !auths.isEmpty()) {
+            for (AuthorizationValue auth : auths) {
+                if (auth.getUrlMatcher() != null && auth.getUrlMatcher().test(inUrl)) {
+                    if ("query".equals(auth.getType())) {
+                        appendValue(inUrl, auth, query);
+                    } else if ("header".equals(auth.getType())) {
+                        appendValue(inUrl, auth, header);
+                    }
+                }
+            }
+        }
+    }
+
     private static String readResponse(URLConnection conn) throws IOException {
 
         try (InputStream in = conn.getInputStream();
@@ -209,15 +209,13 @@ private static URLConnection prepareConnection(List<AuthorizationValue> query, U
 
     private static boolean isRedirect(HttpURLConnection conn) throws IOException {
         int code = conn.getResponseCode();
-        return code == 301 || code == 302 || code == 307 || code == 308;
+        return code == 301 || code == 302 || code == 303 || code == 307 || code == 308;
     }
 
     private static void appendValue(URL url, AuthorizationValue value, Collection<AuthorizationValue> to) {
-        if (value instanceof ManagedValue) {
-            if (!((ManagedValue) value).process(url)) {
+        if (value instanceof ManagedValue && !((ManagedValue) value).process(url)) {
                 return;
             }
-        }
         to.add(value);
     }
 

modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/util/PermittedUrlsCheckerAllowLocal.java

@@ -0,0 +1,13 @@
+package io.swagger.v3.parser.util;
+
+import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
+
+import java.net.InetAddress;
+
+class PermittedUrlsCheckerAllowLocal extends PermittedUrlsChecker {
+    @Override
+    protected boolean isRestrictedIpRange(InetAddress ip) {
+        // Allow all IPs for testing purposes
+        return false;
+    }
+}

modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/util/RemoteUrlTest.java

@@ -2,16 +2,19 @@
 
 import com.github.tomakehurst.wiremock.WireMockServer;
 import com.github.tomakehurst.wiremock.client.WireMock;
+import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
 import com.github.tomakehurst.wiremock.verification.LoggedRequest;
 import io.swagger.v3.parser.core.models.AuthorizationValue;
+import io.swagger.v3.parser.urlresolver.exceptions.HostDeniedException;
 import org.testng.annotations.AfterMethod;
 import org.testng.annotations.BeforeMethod;
 import org.testng.annotations.Test;
 
 import javax.net.ssl.HttpsURLConnection;
+import java.io.IOException;
 import java.net.SocketTimeoutException;
 import java.net.URL;
-import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 
 import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
@@ -35,15 +38,21 @@ public class RemoteUrlTest {
 
 
     @AfterMethod
-    public void tearDown() throws Exception {
+    public void tearDown() {
         wireMockServer.stop();
     }
 
     @BeforeMethod
-    public void setUp() throws Exception {
-        wireMockServer = new WireMockServer(WIRE_MOCK_PORT);
+    public void setUp() {
+        System.setProperty("io.swagger.v3.parser.util.RemoteUrl.trustAll", "true");
+        wireMockServer = new WireMockServer(
+                WireMockConfiguration.options()
+                        .port(0) // disables HTTP
+                        .httpsPort(WIRE_MOCK_PORT) // enables HTTPS
+        );
         wireMockServer.start();
-        WireMock.configureFor(WIRE_MOCK_PORT);
+        WireMock.configureFor("https", LOCALHOST, WIRE_MOCK_PORT); // Use HTTPS for WireMock
+
     }
 
     @Test
@@ -62,7 +71,7 @@ public void testReadARemoteUrl() throws Exception {
         assertEquals(actualBody, expectedBody);
 
         verify(getRequestedFor(urlEqualTo("/v2/pet/1"))
-            .withHeader("Accept", equalTo(EXPECTED_ACCEPTS_HEADER)));
+                .withHeader("Accept", equalTo(EXPECTED_ACCEPTS_HEADER)));
     }
 
     @Test
@@ -73,13 +82,13 @@ public void testAuthorizationHeader() throws Exception {
         final String headerName = "Authorization";
         final String headerValue = "foobar";
         final AuthorizationValue authorizationValue = new AuthorizationValue(headerName, headerValue, "header");
-        final String actualBody = RemoteUrl.urlToString(getUrl(), Arrays.asList(authorizationValue));
+        final String actualBody = RemoteUrl.urlToString(getUrl(), Collections.singletonList(authorizationValue));
 
         assertEquals(actualBody, expectedBody);
 
         verify(getRequestedFor(urlEqualTo("/v2/pet/1"))
-                        .withHeader("Accept", equalTo(EXPECTED_ACCEPTS_HEADER))
-                        .withHeader(headerName, equalTo(headerValue))
+                .withHeader("Accept", equalTo(EXPECTED_ACCEPTS_HEADER))
+                .withHeader(headerName, equalTo(headerValue))
         );
     }
 
@@ -91,14 +100,14 @@ public void testAuthorizationHeaderWithMatchingUrl() throws Exception {
         final String headerName = "Authorization";
         final String headerValue = "foobar";
         final AuthorizationValue authorizationValue = new AuthorizationValue(headerName, headerValue, "header",
-            url -> url.toString().startsWith("http://localhost"));
-        final String actualBody = RemoteUrl.urlToString(getUrl(), Arrays.asList(authorizationValue));
+                url -> url.toString().startsWith("https://localhost"));
+        final String actualBody = RemoteUrl.urlToString(getUrl(), Collections.singletonList(authorizationValue));
 
         assertEquals(actualBody, expectedBody);
 
         verify(getRequestedFor(urlEqualTo("/v2/pet/1"))
-                        .withHeader("Accept", equalTo(EXPECTED_ACCEPTS_HEADER))
-                        .withHeader(headerName, equalTo(headerValue))
+                .withHeader("Accept", equalTo(EXPECTED_ACCEPTS_HEADER))
+                .withHeader(headerName, equalTo(headerValue))
         );
     }
 
@@ -110,33 +119,32 @@ public void testAuthorizationHeaderWithNonMatchingUrl() throws Exception {
         final String headerValue = "foobar";
         String authorization = "Authorization";
         final AuthorizationValue authorizationValue = new AuthorizationValue(authorization,
-            headerValue, "header", u -> false);
-        final String actualBody = RemoteUrl.urlToString(getUrl(), Arrays.asList(authorizationValue));
+                headerValue, "header", u -> false);
+        final String actualBody = RemoteUrl.urlToString(getUrl(), Collections.singletonList(authorizationValue));
 
         assertEquals(actualBody, expectedBody);
 
         List<LoggedRequest> requests = WireMock.findAll(getRequestedFor(urlEqualTo("/v2/pet/1")));
-        assertEquals(1, requests.size());
+        assertEquals(requests.size(), 1);
         assertFalse(requests.get(0).containsHeader(authorization));
     }
 
     private String getUrl() {
-        return String.format("http://%s:%d/v2/pet/1", LOCALHOST, WIRE_MOCK_PORT);
+        return String.format("https://%s:%d/v2/pet/1", LOCALHOST, WIRE_MOCK_PORT);
     }
 
     private String setupStub() {
         final String expectedBody = "a really good body";
         stubFor(get(urlEqualTo("/v2/pet/1"))
                 .willReturn(aResponse()
-                    .withBody(expectedBody)
-                    .withHeader("Content-Type", "application/json")
+                        .withBody(expectedBody)
+                        .withHeader("Content-Type", "application/json")
                 ));
         return expectedBody;
     }
 
     @Test
     public void testConnectionTimeoutEnforced() throws Exception {
-        System.setProperty("io.swagger.v3.parser.util.RemoteUrl.trustAll", "true");
         RemoteUrl.ConnectionConfigurator configurator = RemoteUrl.createConnectionConfigurator();
         URL url = new URL("https://10.255.255.1"); // non-routable IP to simulate timeout
         HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
@@ -152,4 +160,62 @@ public void testConnectionTimeoutEnforced() throws Exception {
             assertTrue(duration <= CONNECTION_TIMEOUT + 2000, "Timeout was not enforced properly (took too long)");
         }
     }
+
+    @Test(expectedExceptions = IOException.class)
+    public void testTooManyRedirectsThrowsException() throws Exception {
+        String nextPath = "/redirect";
+        // Chain 6 redirects
+        for (int i = 0; i < 6; i++) {
+            String target = "/redirect" + (i + 1);
+            stubFor(get(urlEqualTo(nextPath))
+                    .willReturn(aResponse()
+                            .withStatus(302)
+                            .withHeader("Location", wireMockServer.baseUrl() + target)));
+            nextPath = target;
+        }
+
+        // Add stub for /redirect6 to return a 200 OK response, but it's not expected to be reached
+        stubFor(get(urlEqualTo(nextPath))
+                .willReturn(aResponse()
+                        .withStatus(200)
+                        .withBody("Final destination")));
+
+        String startUrl = String.format("https://%s:%d/redirect", LOCALHOST, WIRE_MOCK_PORT);
+
+        try {
+            RemoteUrl.urlToString(startUrl, null, new PermittedUrlsCheckerAllowLocal());
+        } catch (IOException e) {
+            assertTrue(e.getMessage().contains("Too many redirects"));
+            throw e;
+        }
+    }
+
+    @Test(expectedExceptions = HostDeniedException.class)
+    public void testRedirectWithForbiddenProtocolThrowsException() throws Exception {
+        String nextPath = "/redirect";
+        // Chain 6 redirects
+        for (int i = 0; i < 3; i++) {
+            String target = "/redirect" + (i + 1);
+            stubFor(get(urlEqualTo(nextPath))
+                    .willReturn(aResponse()
+                            .withStatus(302)
+                            .withHeader("Location", "ftp://localhost/" + target)));
+            nextPath = target;
+        }
+
+        // Add stub for /redirect6 to return a 200 OK response, but it's not expected to be reached
+        stubFor(get(urlEqualTo(nextPath))
+                .willReturn(aResponse()
+                        .withStatus(200)
+                        .withBody("Final destination")));
+
+        String startUrl = String.format("https://%s:%d/redirect", LOCALHOST, WIRE_MOCK_PORT);
+
+        try {
+            RemoteUrl.urlToString(startUrl, null, new PermittedUrlsCheckerAllowLocal());
+        } catch (IOException e) {
+            assertTrue(e.getMessage().contains("Too many redirects"));
+            throw e;
+        }
+    }
 }

pom.xml

@@ -55,20 +55,13 @@
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>${surefire-version}</version>
                 <dependencies>
-                    <!--dependency>
-                        <groupId>org.apache.maven.surefire</groupId>
-                        <artifactId>surefire-junit4</artifactId>
-                        <version>3.0.0</version>
-                    </dependency>
-                    <dependency>
-                        <groupId>org.apache.maven.surefire</groupId>
-                        <artifactId>surefire-testng</artifactId>
-                        <version>3.1.2</version>
-                    </dependency-->
                 </dependencies>
                 <configuration>
                     <testNGArtifactName>none:none</testNGArtifactName>
                     <argLine>-javaagent:"${settings.localRepository}"/org/jmockit/jmockit/${jmockit-version}/jmockit-${jmockit-version}.jar --add-opens java.base/java.lang=ALL-UNNAMED -Djdk.attach.allowAttachSelf</argLine>
+                    <systemPropertyVariables>
+                        <io.swagger.v3.parser.util.RemoteUrl.trustAll>true</io.swagger.v3.parser.util.RemoteUrl.trustAll>
+                    </systemPropertyVariables>
                 </configuration>
                 <executions>
                     <execution>