fix: disallow SSRF via remote $ref

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/ResolverCache.java

@@ -21,9 +21,9 @@
 import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
 import io.swagger.v3.parser.urlresolver.exceptions.HostDeniedException;
 import io.swagger.v3.parser.util.DeserializationUtils;
+import io.swagger.v3.parser.util.OpenAPIDeserializer;
 import io.swagger.v3.parser.util.PathUtils;
 import io.swagger.v3.parser.util.RefUtils;
-import io.swagger.v3.parser.util.OpenAPIDeserializer;
 import org.apache.commons.lang3.StringUtils;
 
 import java.io.File;
@@ -72,6 +72,7 @@ public class ResolverCache {
     private Set<String> resolveValidationMessages;
     private final ParseOptions parseOptions;
     protected boolean openapi31;
+    private final PermittedUrlsChecker permittedUrlsChecker;
 
     /*
      * a map that stores original external references, and their associated renamed
@@ -94,6 +95,7 @@ public ResolverCache(OpenAPI openApi, List<AuthorizationValue> auths, String par
         this.rootPath = parentFileLocation;
         this.resolveValidationMessages = resolveValidationMessages;
         this.parseOptions = parseOptions;
+        this.permittedUrlsChecker = new PermittedUrlsChecker(parseOptions.getRemoteRefAllowList(), parseOptions.getRemoteRefBlockList());
 
         if(parentFileLocation != null) {
             if(parentFileLocation.startsWith("http") || parentFileLocation.startsWith("jar")) {
@@ -153,13 +155,13 @@ public <T> T loadRef(String ref, RefFormat refFormat, Class<T> expectedType) {
             }
 
             if(parentDirectory != null) {
-                contents = RefUtils.readExternalRef(file, refFormat, auths, parentDirectory);
+                contents = RefUtils.readExternalRef(file, refFormat, auths, parentDirectory, permittedUrlsChecker);
             }
             else if(rootPath != null && rootPath.startsWith("http")) {
-                contents = RefUtils.readExternalUrlRef(file, refFormat, auths, rootPath);
+                contents = RefUtils.readExternalUrlRef(file, refFormat, auths, rootPath, permittedUrlsChecker);
             }
             else if (rootPath != null) {
-                contents = RefUtils.readExternalClasspathRef(file, refFormat, auths, rootPath);
+                contents = RefUtils.readExternalClasspathRef(file, refFormat, auths, rootPath, permittedUrlsChecker);
 
             }
             externalFileCache.put(file, contents);
@@ -382,9 +384,6 @@ private Object getFromMap(String ref, Map map, Pattern pattern) {
 
     protected void checkUrlIsPermitted(String refSet) {
         try {
-            PermittedUrlsChecker permittedUrlsChecker = new PermittedUrlsChecker(parseOptions.getRemoteRefAllowList(),
-                    parseOptions.getRemoteRefBlockList());
-
             permittedUrlsChecker.verify(refSet);
         } catch (HostDeniedException e) {
             throw new RuntimeException(e.getMessage());

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/ReferenceVisitor.java

@@ -15,7 +15,6 @@
 import io.swagger.v3.oas.models.security.SecurityScheme;
 import io.swagger.v3.parser.core.models.AuthorizationValue;
 import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
-import io.swagger.v3.parser.urlresolver.exceptions.HostDeniedException;
 import io.swagger.v3.parser.util.RemoteUrl;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.LoggerFactory;
@@ -35,6 +34,7 @@ public class ReferenceVisitor extends AbstractVisitor {
     protected OpenAPI31Traverser openAPITraverser;
     protected Reference reference;
     protected DereferencerContext context;
+    private PermittedUrlsChecker permittedUrlsChecker;
 
     public ReferenceVisitor(
             Reference reference,
@@ -59,6 +59,8 @@ public ReferenceVisitor(
         this.visited = visited;
         this.visitedMap = visitedMap;
         this.context = context;
+        this.permittedUrlsChecker = new PermittedUrlsChecker(context.getParseOptions().getRemoteRefAllowList(),
+                context.getParseOptions().getRemoteRefBlockList());
     }
 
     public String toBaseURI(String uri) throws Exception{
@@ -83,7 +85,7 @@ public Reference toReference(String uri) throws Exception{
         return ref;
     }
 
-    public Reference toSchemaReference(String baseUri, JsonNode node) throws Exception{
+    public Reference toSchemaReference(String baseUri, JsonNode node) {
         Map<String, Reference> referenceSet = this.reference.getReferenceSet();
         if (referenceSet.containsKey(baseUri)) {
             return referenceSet.get(baseUri);
@@ -193,20 +195,21 @@ public Header visitHeader(Header header){
     }
 
     @Override
-    public String readHttp(String uri, List<AuthorizationValue> auths) throws Exception {
+    public String readHttp(String uri, List<AuthorizationValue> auths, PermittedUrlsChecker permittedUrlsChecker) throws Exception {
         if(context.getParseOptions().isSafelyResolveURL()){
-            checkUrlIsPermitted(uri);
+            permittedUrlsChecker.verify(uri);
+            return RemoteUrl.urlToString(uri, auths, permittedUrlsChecker);
         }
         return RemoteUrl.urlToString(uri, auths);
     }
 
     public<T> T resolveRef(T visiting, String ref, Class<T> clazz, BiFunction<T, ReferenceVisitor, T> traverseFunction){
         try {
-            Reference reference = toReference(ref);
+            Reference referenceObject = toReference(ref);
             String fragment = ReferenceUtils.getFragment(ref);
-            JsonNode node = ReferenceUtils.jsonPointerEvaluate(fragment, reference.getJsonNode(), ref);
-            T resolved = openAPITraverser.deserializeFragment(node, clazz, ref, fragment, reference.getMessages());
-            ReferenceVisitor visitor = new ReferenceVisitor(reference, openAPITraverser, this.visited, this.visitedMap, context);
+            JsonNode node = ReferenceUtils.jsonPointerEvaluate(fragment, referenceObject.getJsonNode(), ref);
+            T resolved = openAPITraverser.deserializeFragment(node, clazz, ref, fragment, referenceObject.getMessages());
+            ReferenceVisitor visitor = new ReferenceVisitor(referenceObject, openAPITraverser, this.visited, this.visitedMap, context);
             return traverseFunction.apply(resolved, visitor);
 
         } catch (Exception e) {
@@ -226,39 +229,39 @@ public Schema resolveSchemaRef(Schema visiting, String ref, List<String> inherit
             }
             baseURI = ReferenceUtils.resolve(ref, baseURI);
             baseURI = ReferenceUtils.toBaseURI(baseURI);
-            Reference reference = null;
+            Reference referenceObject;
             boolean isAnchor = false;
             if (this.reference.getReferenceSet().containsKey(baseURI)) {
-                reference = this.reference.getReferenceSet().get(baseURI);
+                referenceObject = this.reference.getReferenceSet().get(baseURI);
             }
             else {
-                JsonNode node = null;
+                JsonNode node;
                 try {
                     node = parse(baseURI, this.reference.getAuths());
                 } catch (Exception e) {
                     // we can not parse, try ref
                     baseURI = toBaseURI(ref);
                     node = parse(baseURI, this.reference.getAuths());
                 }
-                reference = toSchemaReference(baseURI, node);
+                referenceObject = toSchemaReference(baseURI, node);
             }
             String fragment = ReferenceUtils.getFragment(ref);
-            JsonNode evaluatedNode = null;
+            JsonNode evaluatedNode;
             try {
-                evaluatedNode = ReferenceUtils.jsonPointerEvaluate(fragment, reference.getJsonNode(), ref);
+                evaluatedNode = ReferenceUtils.jsonPointerEvaluate(fragment, referenceObject.getJsonNode(), ref);
             } catch (RuntimeException e) {
                 // maybe anchor
-                evaluatedNode = findAnchor(reference.getJsonNode(), fragment);
+                evaluatedNode = findAnchor(referenceObject.getJsonNode(), fragment);
                 if (evaluatedNode == null) {
                     throw new RuntimeException("Could not find " + fragment + " in contents of " + ref);
                 }
                 isAnchor = true;
             }
-            Schema resolved = openAPITraverser.deserializeFragment(evaluatedNode, Schema.class, ref, fragment, reference.getMessages());
+            Schema resolved = openAPITraverser.deserializeFragment(evaluatedNode, Schema.class, ref, fragment, referenceObject.getMessages());
             if (isAnchor) {
                 resolved.$anchor(null);
             }
-            ReferenceVisitor visitor = new ReferenceVisitor(reference, openAPITraverser, this.visited, this.visitedMap, context);
+            ReferenceVisitor visitor = new ReferenceVisitor(referenceObject, openAPITraverser, this.visited, this.visitedMap, context);
             return openAPITraverser.traverseSchema(resolved, visitor, inheritedIds);
         } catch (Exception e) {
             LOGGER.error("Error resolving schema " + ref, e);
@@ -313,13 +316,6 @@ public JsonNode parse(String absoluteUri, List<AuthorizationValue> auths) throws
             }
         }
 
-        return deserializeIntoTree(readURI(absoluteUri, auths));
-    }
-
-    protected void checkUrlIsPermitted(String refSet) throws HostDeniedException {
-        PermittedUrlsChecker permittedUrlsChecker = new PermittedUrlsChecker(context.getParseOptions().getRemoteRefAllowList(),
-                context.getParseOptions().getRemoteRefBlockList());
-
-        permittedUrlsChecker.verify(refSet);
+        return deserializeIntoTree(readURI(absoluteUri, auths, permittedUrlsChecker));
     }
 }

modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/Visitor.java

@@ -17,6 +17,7 @@
 import io.swagger.v3.oas.models.responses.ApiResponses;
 import io.swagger.v3.oas.models.security.SecurityScheme;
 import io.swagger.v3.parser.core.models.AuthorizationValue;
+import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
 import io.swagger.v3.parser.util.ClasspathHelper;
 import io.swagger.v3.parser.util.RemoteUrl;
 import org.apache.commons.io.IOUtils;
@@ -68,18 +69,18 @@ default String readFile(String path) throws Exception {
         }
     }
 
-    default String readClasspath(String classPath) throws Exception {
+    default String readClasspath(String classPath) {
         return ClasspathHelper.loadFileFromClasspath(classPath);
     }
-    default String readHttp(String uri, List<AuthorizationValue> auths) throws Exception {
-        return RemoteUrl.urlToString(uri, auths);
+    default String readHttp(String uri, List<AuthorizationValue> auths, PermittedUrlsChecker permittedUrlsChecker) throws Exception {
+        return RemoteUrl.urlToString(uri, auths, permittedUrlsChecker);
     }
 
-    default String readURI(String absoluteUri, List<AuthorizationValue> auths) throws Exception {
+    default String readURI(String absoluteUri, List<AuthorizationValue> auths, PermittedUrlsChecker permittedUrlsChecker) throws Exception {
         URI resolved = new URI(absoluteUri);
         if (StringUtils.isNotBlank(resolved.getScheme())) {
             if (resolved.getScheme().startsWith("http")) {
-                return readHttp(absoluteUri, auths);
+                return readHttp(absoluteUri, auths, permittedUrlsChecker);
             } else if (resolved.getScheme().startsWith("file")) {
                 return readFile(resolved.getPath());
             } else if (resolved.getScheme().startsWith("classpath")) {