resovle host to all ips and check against the deny list

Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>

notifications/core-spi/src/main/kotlin/org/opensearch/notifications/spi/utils/ValidationHelpers.kt

@@ -49,13 +49,32 @@ fun isValidUrl(urlString: String): Boolean {
     }
 }
 
+"foobar.com"
+
+
+
 fun isHostInDenylist(urlString: String, hostDenyList: List<String>): Boolean {
     val url = URL(urlString)
     if (url.host != null) {
-        val ipStr = IPAddressString(InetAddress.getByName(url.host).hostAddress)
+        val resolvedIps = InetAddress.getAllByName(url.host);
+        val resolvedIpStrings = resolvedIps.map { inetAddress -> IPAddressString(inetAddress.hostAddress) }
+        val hostStr = HostName(url.host)
+
         for (network in hostDenyList) {
-            val netStr = IPAddressString(network)
-            if (netStr.contains(ipStr)) {
+            val denyIpStr = IPAddressString(network)
+            val denyHostStr = HostName(network)
+            val hostInDenyList = denyHostStr.equals(hostStr);
+            var ipInDenyList = false;
+
+            for (ipStr in resolvedIpStrings) {
+                if (denyIpStr.contains(ipStr)) {
+                    ipInDenyList = true;
+                    break;
+                }
+            }
+
+            if (hostInDenyList || ipInDenyList) {
+                LogManager.getLogger().error("${url.host} is denied")
                 return true
             }
         }

notifications/core/src/main/kotlin/org/opensearch/notifications/core/utils/ValidationHelpers.kt

@@ -12,6 +12,7 @@ import org.apache.hc.client5.http.classic.methods.HttpPost
 import org.apache.hc.client5.http.classic.methods.HttpPut
 import org.apache.logging.log4j.LogManager
 import org.opensearch.core.common.Strings
+import java.net.InetAddress
 import java.net.URL
 
 fun validateUrl(urlString: String) {
@@ -38,12 +39,24 @@ fun isValidUrl(urlString: String): Boolean {
 fun isHostInDenylist(urlString: String, hostDenyList: List<String>): Boolean {
     val url = URL(urlString)
     if (url.host != null) {
-        val ipStr = IPAddressString(url.host)
+        val resolvedIps = InetAddress.getAllByName(url.host);
+        val resolvedIpStrings = resolvedIps.map { inetAddress -> IPAddressString(inetAddress.hostAddress) }
         val hostStr = HostName(url.host)
+
         for (network in hostDenyList) {
             val denyIpStr = IPAddressString(network)
             val denyHostStr = HostName(network)
-            if (denyIpStr.contains(ipStr) || denyHostStr.equals(hostStr)) {
+            val hostInDenyList = denyHostStr.equals(hostStr);
+            var ipInDenyList = false;
+
+            for (ipStr in resolvedIpStrings) {
+                if (denyIpStr.contains(ipStr)) {
+                    ipInDenyList = true;
+                    break;
+                }
+            }
+
+            if (hostInDenyList || ipInDenyList) {
                 LogManager.getLogger().error("${url.host} is denied")
                 return true
             }

notifications/core/src/test/kotlin/org/opensearch/notifications/core/utils/ValidationHelpersTests.kt

@@ -44,4 +44,16 @@ internal class ValidationHelpersTests {
             assertEquals(false, isHostInDenylist("https://$url", hostDenyList), "address $url was not supposed to be identified as in the deny list, but was")
         }
     }
+
+    @Test
+    fun `test hostname gets resolved to ip for denylist`() {
+        val invalidHost = "invalid.com"
+        mockkStatic(InetAddress::class)
+        every { InetAddress.getByName(invalidHost).hostAddress } returns "10.0.0.1" // 10.0.0.0/8
+        assertEquals(true, isHostInDenylist("https://$invalidHost", hostDenyList))
+
+        val validHost = "valid.com"
+        every { InetAddress.getByName(validHost).hostAddress } returns "174.12.0.0"
+        assertEquals(false, isHostInDenylist("https://$validHost", hostDenyList))
+    }
 }