diff --git a/notifications/core-spi/src/main/kotlin/org/opensearch/notifications/spi/utils/ValidationHelpers.kt b/notifications/core-spi/src/main/kotlin/org/opensearch/notifications/spi/utils/ValidationHelpers.kt index 4cdaab82..1463b5f3 100644 --- a/notifications/core-spi/src/main/kotlin/org/opensearch/notifications/spi/utils/ValidationHelpers.kt +++ b/notifications/core-spi/src/main/kotlin/org/opensearch/notifications/spi/utils/ValidationHelpers.kt @@ -49,13 +49,32 @@ fun isValidUrl(urlString: String): Boolean { } } +"foobar.com" + + + fun isHostInDenylist(urlString: String, hostDenyList: List): Boolean { val url = URL(urlString) if (url.host != null) { - val ipStr = IPAddressString(InetAddress.getByName(url.host).hostAddress) + val resolvedIps = InetAddress.getAllByName(url.host); + val resolvedIpStrings = resolvedIps.map { inetAddress -> IPAddressString(inetAddress.hostAddress) } + val hostStr = HostName(url.host) + for (network in hostDenyList) { - val netStr = IPAddressString(network) - if (netStr.contains(ipStr)) { + val denyIpStr = IPAddressString(network) + val denyHostStr = HostName(network) + val hostInDenyList = denyHostStr.equals(hostStr); + var ipInDenyList = false; + + for (ipStr in resolvedIpStrings) { + if (denyIpStr.contains(ipStr)) { + ipInDenyList = true; + break; + } + } + + if (hostInDenyList || ipInDenyList) { + LogManager.getLogger().error("${url.host} is denied") return true } } diff --git a/notifications/core/src/main/kotlin/org/opensearch/notifications/core/utils/ValidationHelpers.kt b/notifications/core/src/main/kotlin/org/opensearch/notifications/core/utils/ValidationHelpers.kt index 720f57b4..59e9a63b 100644 --- a/notifications/core/src/main/kotlin/org/opensearch/notifications/core/utils/ValidationHelpers.kt +++ b/notifications/core/src/main/kotlin/org/opensearch/notifications/core/utils/ValidationHelpers.kt @@ -12,6 +12,7 @@ import org.apache.hc.client5.http.classic.methods.HttpPost import org.apache.hc.client5.http.classic.methods.HttpPut import org.apache.logging.log4j.LogManager import org.opensearch.core.common.Strings +import java.net.InetAddress import java.net.URL fun validateUrl(urlString: String) { @@ -38,12 +39,24 @@ fun isValidUrl(urlString: String): Boolean { fun isHostInDenylist(urlString: String, hostDenyList: List): Boolean { val url = URL(urlString) if (url.host != null) { - val ipStr = IPAddressString(url.host) + val resolvedIps = InetAddress.getAllByName(url.host); + val resolvedIpStrings = resolvedIps.map { inetAddress -> IPAddressString(inetAddress.hostAddress) } val hostStr = HostName(url.host) + for (network in hostDenyList) { val denyIpStr = IPAddressString(network) val denyHostStr = HostName(network) - if (denyIpStr.contains(ipStr) || denyHostStr.equals(hostStr)) { + val hostInDenyList = denyHostStr.equals(hostStr); + var ipInDenyList = false; + + for (ipStr in resolvedIpStrings) { + if (denyIpStr.contains(ipStr)) { + ipInDenyList = true; + break; + } + } + + if (hostInDenyList || ipInDenyList) { LogManager.getLogger().error("${url.host} is denied") return true } diff --git a/notifications/core/src/test/kotlin/org/opensearch/notifications/core/utils/ValidationHelpersTests.kt b/notifications/core/src/test/kotlin/org/opensearch/notifications/core/utils/ValidationHelpersTests.kt index 848fca8d..9944f6a1 100644 --- a/notifications/core/src/test/kotlin/org/opensearch/notifications/core/utils/ValidationHelpersTests.kt +++ b/notifications/core/src/test/kotlin/org/opensearch/notifications/core/utils/ValidationHelpersTests.kt @@ -44,4 +44,16 @@ internal class ValidationHelpersTests { assertEquals(false, isHostInDenylist("https://$url", hostDenyList), "address $url was not supposed to be identified as in the deny list, but was") } } + + @Test + fun `test hostname gets resolved to ip for denylist`() { + val invalidHost = "invalid.com" + mockkStatic(InetAddress::class) + every { InetAddress.getByName(invalidHost).hostAddress } returns "10.0.0.1" // 10.0.0.0/8 + assertEquals(true, isHostInDenylist("https://$invalidHost", hostDenyList)) + + val validHost = "valid.com" + every { InetAddress.getByName(validHost).hostAddress } returns "174.12.0.0" + assertEquals(false, isHostInDenylist("https://$validHost", hostDenyList)) + } }