disable local and redirect url, add config

Dockerfile

@@ -7,7 +7,9 @@ COPY target/*.war /validator/server.war
 COPY src/main/swagger/swagger.yaml /validator/
 COPY inflector.yaml /validator/
 
+ENV REJECT_REDIRECT "true"
+ENV REJECT_LOCAL "true"
 EXPOSE 8080
 
-CMD ["java", "-jar", "-DswaggerUrl=swagger.yaml", "/validator/jetty-runner.jar", "/validator/server.war"]
+CMD java -jar -DswaggerUrl=swagger.yaml -DrejectLocal=${REJECT_LOCAL} -DrejectRedirect=${REJECT_REDIRECT} /validator/jetty-runner.jar /validator/server.war
 

README.md

@@ -13,6 +13,16 @@ docker pull swaggerapi/swagger-validator-v2:v2.0.1
 docker run -it -p 8080:8080 --name swagger-validator-v2 swaggerapi/swagger-validator-v2:v2.0.1
 ```
 
+Since version `2.0.2` local and non http/https urls are rejected by default, along with redirects; this is controllable with docker env variables / java system properties:
+
+```
+docker run -it -p 8080:8080 -e "REJECT_LOCAL=false" -e "REJECT_REDIRECT=false" --name swagger-validator-v2 swaggerapi/swagger-validator-v2:v2.0.1
+```
+
+In non docker environments, system properties `rejectLocal` and `rejectRedirect` can be used.
+
+
+
 Web UI is reachable at http://localhost:8080/index.html and OpenAPI spec at http://localhost:8080/validator/openapi.json
 
 

pom.xml

@@ -52,6 +52,10 @@
                 <version>${surefire-version}</version>
                 <configuration>
                     <testNGArtifactName>none:none</testNGArtifactName>
+                    <systemPropertyVariables>
+                        <rejectLocal>false</rejectLocal>
+                        <rejectRedirect>false</rejectRedirect>
+                    </systemPropertyVariables>
                 </configuration>
                 <executions>
                     <execution>
@@ -240,7 +244,6 @@
         </repository>
     </repositories>
     <properties>
-
         <testng-version>6.9.6</testng-version>
         <jackson.version>2.9.10</jackson.version>
         <httpclient-version>4.5.1</httpclient-version>

src/main/java/io/swagger/handler/ValidatorController.java

@@ -30,6 +30,7 @@
 import org.apache.http.conn.ssl.NoopHostnameVerifier;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.ssl.SSLContextBuilder;
 import org.apache.http.ssl.TrustStrategy;
@@ -43,6 +44,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.net.InetAddress;
+import java.net.URL;
 import java.security.KeyManagementException;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
@@ -70,6 +73,9 @@ public class ValidatorController{
     private JsonSchema schemaV2;
     private JsonSchema schemaV3;
 
+    static boolean rejectLocal = StringUtils.isBlank(System.getProperty("rejectLocal")) ? true : Boolean.parseBoolean(System.getProperty("rejectLocal"));
+    static boolean rejectRedirect = StringUtils.isBlank(System.getProperty("rejectRedirect")) ? true : Boolean.parseBoolean(System.getProperty("rejectRedirect"));
+
     public ResponseContext validateByUrl(RequestContext request , String url) {
 
         if(url == null) {
@@ -238,7 +244,7 @@ public ValidationResponse debugByUrl( RequestContext request, String url) throws
 
         // read the spec contents, bail if it fails
         try {
-            content = getUrlContents(url);
+            content = getUrlContents(url, ValidatorController.rejectLocal, ValidatorController.rejectRedirect);
         } catch (Exception e) {
             ProcessingMessage pm = new ProcessingMessage();
             pm.setLogLevel(LogLevel.ERROR);
@@ -394,7 +400,7 @@ private JsonSchema resolveJsonSchema(String schemaAsString, boolean removeId) th
         return factory.getJsonSchema(schemaObject);
 
     }
-    private CloseableHttpClient getCarelessHttpClient() {
+    private CloseableHttpClient getCarelessHttpClient(boolean disableRedirect) {
         CloseableHttpClient httpClient = null;
 
         try {
@@ -405,10 +411,13 @@ public boolean isTrusted(X509Certificate[] chain, String authType) throws Certif
                 }
             });
             SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(builder.build(), NoopHostnameVerifier.INSTANCE);
-            httpClient = HttpClients
+            HttpClientBuilder httpClientBuilder = HttpClients
                     .custom()
-                    .setSSLSocketFactory(sslsf)
-                    .build();
+                    .setSSLSocketFactory(sslsf);
+            if (disableRedirect) {
+                httpClientBuilder.disableRedirectHandling();
+            }
+            httpClient = httpClientBuilder.build();
         } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
             LOGGER.error("can't disable SSL verification", e);
         }
@@ -417,9 +426,18 @@ public boolean isTrusted(X509Certificate[] chain, String authType) throws Certif
     }
 
     private String getUrlContents(String urlString) throws IOException {
+        return getUrlContents(urlString, false, false);
+    }
+    private String getUrlContents(String urlString, boolean rejectLocal, boolean rejectRedirect) throws IOException {
         LOGGER.trace("fetching URL contents");
-
-        final CloseableHttpClient httpClient = getCarelessHttpClient();
+        URL url = new URL(urlString);
+        if(rejectLocal) {
+            InetAddress inetAddress = InetAddress.getByName(url.getHost());
+            if(inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress() || inetAddress.isLinkLocalAddress()) {
+                throw new IOException("Only accepts http/https protocol");
+            }
+        }
+        final CloseableHttpClient httpClient = getCarelessHttpClient(rejectRedirect);
 
         RequestConfig.Builder requestBuilder = RequestConfig.custom();
         requestBuilder = requestBuilder