Extracted URLValidator class

Improved its tests

Author: namedgraph

http-tests/admin/packages/install-package-internal-url-400.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# Test SSRF protection: package-uri with link-local address (169.254.0.0/16) should return 400 Bad Request
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$OWNER_CERT_FILE":"$OWNER_CERT_PWD" \
+  -X POST \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data-urlencode "package-uri=http://169.254.1.1/package#this" \
+  "${ADMIN_BASE_URL}packages/install" \
+| grep -q "$STATUS_BAD_REQUEST"
+
+# Test SSRF protection: package-uri with private class A address (10.0.0.0/8) should return 400 Bad Request
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$OWNER_CERT_FILE":"$OWNER_CERT_PWD" \
+  -X POST \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data-urlencode "package-uri=http://10.0.0.1/package#this" \
+  "${ADMIN_BASE_URL}packages/install" \
+| grep -q "$STATUS_BAD_REQUEST"
+
+# Test SSRF protection: package-uri with private class B address (172.16.0.0/12) should return 400 Bad Request
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$OWNER_CERT_FILE":"$OWNER_CERT_PWD" \
+  -X POST \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data-urlencode "package-uri=http://172.16.0.0/package#this" \
+  "${ADMIN_BASE_URL}packages/install" \
+| grep -q "$STATUS_BAD_REQUEST"
+
+# Test SSRF protection: package-uri with private class C address (192.168.0.0/16) should return 400 Bad Request
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$OWNER_CERT_FILE":"$OWNER_CERT_PWD" \
+  -X POST \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data-urlencode "package-uri=http://192.168.1.1/package#this" \
+  "${ADMIN_BASE_URL}packages/install" \
+| grep -q "$STATUS_BAD_REQUEST"

src/main/java/com/atomgraph/linkeddatahub/Application.java

@@ -18,6 +18,7 @@
 
 import com.atomgraph.linkeddatahub.server.mapper.ResourceExistsExceptionMapper;
 import com.atomgraph.linkeddatahub.server.mapper.HttpHostConnectExceptionMapper;
+import com.atomgraph.linkeddatahub.server.mapper.InternalURLExceptionMapper;
 import com.atomgraph.linkeddatahub.server.mapper.MessagingExceptionMapper;
 import com.atomgraph.linkeddatahub.server.mapper.auth.webid.WebIDLoadingExceptionMapper;
 import com.atomgraph.linkeddatahub.server.mapper.auth.webid.InvalidWebIDURIExceptionMapper;
@@ -1090,6 +1091,7 @@ protected void registerExceptionMappers()
         register(NotAcceptableExceptionMapper.class);
         register(ClientErrorExceptionMapper.class);
         register(HttpHostConnectExceptionMapper.class);
+        register(InternalURLExceptionMapper.class);
         register(BadGatewayExceptionMapper.class);
         register(OntClassNotFoundExceptionMapper.class);
         register(InvalidWebIDPublicKeyExceptionMapper.class);

src/main/java/com/atomgraph/linkeddatahub/resource/Transform.java

@@ -23,12 +23,11 @@
 import com.atomgraph.linkeddatahub.server.io.ValidatingModelProvider;
 import com.atomgraph.linkeddatahub.server.model.impl.DirectGraphStoreImpl;
 import com.atomgraph.linkeddatahub.server.security.AgentContext;
+import com.atomgraph.linkeddatahub.server.util.URLValidator;
 import com.atomgraph.linkeddatahub.vocabulary.NFO;
 import com.atomgraph.spinrdf.vocabulary.SPIN;
-import java.net.InetAddress;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.net.UnknownHostException;
 import java.util.Map;
 import java.util.Optional;
 import jakarta.inject.Inject;
@@ -144,8 +143,8 @@ public Response post(Model model)
             if (queryRes == null) throw new BadRequestException("Transformation query string (spin:query) not provided");
 
             // LNK-002: Validate URIs to prevent SSRF attacks
-            validateNotInternalURL(URI.create(queryRes.getURI()));
-            validateNotInternalURL(URI.create(source.getURI()));
+            new URLValidator(URI.create(queryRes.getURI())).validate();
+            new URLValidator(URI.create(source.getURI())).validate();
 
             GraphStoreClient gsc = GraphStoreClient.create(getSystem().getClient(), getSystem().getMediaTypes()).
                 delegation(getUriInfo().getBaseUri(), getAgentContext().orElse(null));
@@ -236,7 +235,7 @@ public Response postFileBodyPart(Model model, Map<String, FormDataBodyPart> file
             if (queryRes == null) throw new BadRequestException("Transformation query string (spin:query) not provided");
 
             // LNK-002: Validate query URI to prevent SSRF attacks
-            validateNotInternalURL(URI.create(queryRes.getURI()));
+            new URLValidator(URI.create(queryRes.getURI())).validate();
 
             GraphStoreClient gsc = GraphStoreClient.create(getSystem().getClient(), getSystem().getMediaTypes()).
                 delegation(getUriInfo().getBaseUri(), getAgentContext().orElse(null));
@@ -278,42 +277,6 @@ protected Response forwardPost(Entity entity, String graphURI)
         }
     }
 
-    /**
-     * Validates that the given URI does not point to an internal/private network address.
-     * Prevents SSRF attacks by blocking access to RFC 1918 private addresses and link-local addresses.
-     *
-     * @param uri the URI to validate
-     * @throws IllegalArgumentException if URI or host is null
-     * @throws BadRequestException if the URI resolves to an internal address
-     * @see <a href="https://github.com/AtomGraph/LinkedDataHub/issues/253">LNK-002: SSRF primitives in admin endpoint</a>
-     */
-    protected static void validateNotInternalURL(URI uri)
-    {
-        if (uri == null) throw new IllegalArgumentException("URI cannot be null");
-
-        String host = uri.getHost();
-        if (host == null) throw new IllegalArgumentException("URI host cannot be null");
-
-        // Resolve hostname to IP and check if it's private/internal
-        try
-        {
-            InetAddress address = InetAddress.getByName(host);
-
-            // Note: We don't block loopback addresses (127.0.0.1, localhost) because transformation queries
-            // and data sources may legitimately reference resources on the same server
-
-            if (address.isLinkLocalAddress())
-                throw new BadRequestException("URI cannot resolve to link-local addresses: " + address.getHostAddress());
-            if (address.isSiteLocalAddress())
-                throw new BadRequestException("URI cannot resolve to private addresses (RFC 1918): " + address.getHostAddress());
-        }
-        catch (UnknownHostException e)
-        {
-            if (log.isWarnEnabled()) log.warn("Could not resolve hostname for SSRF validation: {}", host);
-            // Allow request to proceed - will fail later with better error message
-        }
-    }
-
     /**
      * Returns the supported media types.
      *

src/main/java/com/atomgraph/linkeddatahub/resource/admin/pkg/InstallPackage.java

@@ -23,6 +23,7 @@
 import com.atomgraph.linkeddatahub.client.GraphStoreClient;
 import com.atomgraph.linkeddatahub.resource.admin.ClearOntology;
 import com.atomgraph.linkeddatahub.server.security.AgentContext;
+import com.atomgraph.linkeddatahub.server.util.URLValidator;
 import com.atomgraph.linkeddatahub.server.util.XSLTMasterUpdater;
 import static com.atomgraph.server.status.UnprocessableEntityStatus.UNPROCESSABLE_ENTITY;
 import jakarta.inject.Inject;
@@ -131,6 +132,9 @@ public Response post(@FormParam("package-uri") String packageURI, @HeaderParam("
             throw new BadRequestException("Package URI not specified");
         }
 
+        // Validate package URI to prevent SSRF attacks
+        new URLValidator(URI.create(packageURI)).validate();
+
         if (log.isInfoEnabled()) log.info("Installing package: {}", packageURI);
         com.atomgraph.linkeddatahub.apps.model.Package pkg = getPackage(packageURI);
         if (pkg == null)
@@ -155,6 +159,9 @@ public Response post(@FormParam("package-uri") String packageURI, @HeaderParam("
 
             if (ontology != null)
             {
+                // Validate ontology URI to prevent SSRF attacks
+                new URLValidator(URI.create(ontology.getURI())).validate();
+
                 if (log.isDebugEnabled()) log.debug("Downloading package ontology from: {}", ontology.getURI());
                 Model ontologyModel = downloadOntology(ontology.getURI());
 
@@ -166,6 +173,9 @@ public Response post(@FormParam("package-uri") String packageURI, @HeaderParam("
                 URI stylesheetURI = URI.create(stylesheet.getURI());
                 String packagePath = pkg.getStylesheetPath();
 
+                // Validate stylesheet URI to prevent SSRF attacks
+                new URLValidator(stylesheetURI).validate();
+
                 if (log.isDebugEnabled()) log.debug("Downloading package stylesheet from: {}", stylesheetURI);
                 String stylesheetContent = downloadStylesheet(stylesheetURI);
 

src/main/java/com/atomgraph/linkeddatahub/server/exception/InternalURLException.java

@@ -0,0 +1,72 @@
+/**
+ *  Copyright 2025 Martynas Jusevičius <martynas@atomgraph.com>
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+package com.atomgraph.linkeddatahub.server.exception;
+
+import java.net.URI;
+
+/**
+ * Exception thrown when attempting to load data from an internal/private network address.
+ * This is part of SSRF (Server-Side Request Forgery) attack prevention.
+ *
+ * @author Martynas Jusevičius {@literal <martynas@atomgraph.com>}
+ * @see <a href="https://github.com/AtomGraph/LinkedDataHub/issues/252">LNK-004: SSRF primitive via On-Behalf-Of header</a>
+ * @see <a href="https://github.com/AtomGraph/LinkedDataHub/issues/253">LNK-002: SSRF primitives in admin endpoint</a>
+ * @see <a href="https://github.com/AtomGraph/LinkedDataHub/issues/287">LNK-009: SSRF via proxy URI parameter</a>
+ */
+public class InternalURLException extends RuntimeException
+{
+
+    /** The URI that resolves to an internal address */
+    private final URI uri;
+
+    /** The resolved IP address */
+    private final String ipAddress;
+
+    /**
+     * Constructs exception for link-local address.
+     *
+     * @param uri the URI that resolves to a link-local address
+     * @param ipAddress the resolved link-local IP address
+     */
+    public InternalURLException(URI uri, String ipAddress)
+    {
+        super("URL cannot resolve to internal addresses: " + ipAddress);
+        this.uri = uri;
+        this.ipAddress = ipAddress;
+    }
+
+    /**
+     * Returns the URI that resolves to an internal address.
+     *
+     * @return the URI
+     */
+    public URI getURI()
+    {
+        return uri;
+    }
+
+    /**
+     * Returns the resolved IP address.
+     *
+     * @return the IP address
+     */
+    public String getIPAddress()
+    {
+        return ipAddress;
+    }
+
+}

src/main/java/com/atomgraph/linkeddatahub/server/filter/request/auth/WebIDFilter.java

@@ -25,13 +25,12 @@
 import com.atomgraph.linkeddatahub.server.exception.auth.webid.WebIDLoadingException;
 import com.atomgraph.linkeddatahub.server.exception.auth.webid.WebIDDelegationException;
 import com.atomgraph.linkeddatahub.server.security.WebIDSecurityContext;
+import com.atomgraph.linkeddatahub.server.util.URLValidator;
 import com.atomgraph.linkeddatahub.vocabulary.ACL;
 import com.atomgraph.linkeddatahub.vocabulary.Cert;
 import com.atomgraph.linkeddatahub.vocabulary.FOAF;
-import java.net.InetAddress;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.net.UnknownHostException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
@@ -130,7 +129,7 @@ public SecurityContext authenticate(ContainerRequestContext request)
             }
             if (log.isTraceEnabled()) log.trace("Client WebID: {}", webID);
 
-            validateNotInternalURL(webID); // LNK-004: Prevent SSRF via WebID URI
+            new URLValidator(webID).validate(); // LNK-004: Prevent SSRF via WebID URI
             Resource agent = authenticate(loadWebID(webID), webID, publicKey);
             if (agent == null)
             {
@@ -143,7 +142,7 @@ public SecurityContext authenticate(ContainerRequestContext request)
             if (onBehalfOf != null)
             {
                 URI principalWebID = new URI(onBehalfOf);
-                validateNotInternalURL(principalWebID); // LNK-004: Prevent SSRF via On-Behalf-Of header
+                new URLValidator(principalWebID).validate(); // LNK-004: Prevent SSRF via On-Behalf-Of header
                 Model principalWebIDModel = loadWebID(principalWebID);
                 Resource principal = principalWebIDModel.createResource(onBehalfOf);
                 // if we verify that the current agent is a secretary of the principal, that principal becomes current agent. Else throw error
@@ -301,7 +300,7 @@ public Model loadWebIDFromURI(URI webID)
                 if (certKeyRes != null && certKeyRes.isURIResource())
                 {
                     URI certKey = URI.create(certKeyRes.getURI());
-                    validateNotInternalURL(certKey); // LNK-004: Prevent SSRF via cert:key reference in WebID document
+                    new URLValidator(certKey).validate(); // LNK-004: Prevent SSRF via cert:key reference in WebID document
                     // remove fragment identifier to get document URI
                     URI certKeyDoc = new URI(certKey.getScheme(), certKey.getSchemeSpecificPart(), null).normalize();
 
@@ -383,40 +382,4 @@ public void logout(Application app, ContainerRequestContext request)
         throw new UnsupportedOperationException("Not supported yet."); // logout not really possible with HTTP certificates
     }
 
-    /**
-     * Validates that the given URI does not point to an internal/private network address.
-     * Prevents SSRF attacks by blocking access to RFC 1918 private addresses and link-local addresses.
-     *
-     * @param uri the URI to validate
-     * @throws IllegalArgumentException if URI or host is null
-     * @throws BadRequestException if the URI resolves to an internal address
-     * @see <a href="https://github.com/AtomGraph/LinkedDataHub/issues/252">LNK-004: SSRF primitive via On-Behalf-Of header</a>
-     */
-    protected static void validateNotInternalURL(URI uri)
-    {
-        if (uri == null) throw new IllegalArgumentException("URI cannot be null");
-
-        String host = uri.getHost();
-        if (host == null) throw new IllegalArgumentException("URI host cannot be null");
-
-        // Resolve hostname to IP and check if it's private/internal
-        try
-        {
-            InetAddress address = InetAddress.getByName(host);
-
-            // Note: We don't block loopback addresses (127.0.0.1, localhost) because WebID documents
-            // may legitimately be hosted on the same server during development/testing
-
-            if (address.isLinkLocalAddress())
-                throw new BadRequestException("WebID URI cannot resolve to link-local addresses: " + address.getHostAddress());
-            if (address.isSiteLocalAddress())
-                throw new BadRequestException("WebID URI cannot resolve to private addresses (RFC 1918): " + address.getHostAddress());
-        }
-        catch (UnknownHostException e)
-        {
-            if (log.isWarnEnabled()) log.warn("Could not resolve hostname for SSRF validation: {}", host);
-            // Allow request to proceed - will fail later with better error message
-        }
-    }
-
 }

src/main/java/com/atomgraph/linkeddatahub/server/mapper/InternalURLExceptionMapper.java

@@ -0,0 +1,59 @@
+/**
+ *  Copyright 2025 Martynas Jusevičius <martynas@atomgraph.com>
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+package com.atomgraph.linkeddatahub.server.mapper;
+
+import com.atomgraph.core.MediaTypes;
+import com.atomgraph.linkeddatahub.server.exception.InternalURLException;
+import com.atomgraph.server.mapper.ExceptionMapperBase;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.ExceptionMapper;
+import org.apache.jena.rdf.model.Resource;
+import org.apache.jena.rdf.model.ResourceFactory;
+
+/**
+ * JAX-RS mapper for internal URL exceptions.
+ * Maps {@link InternalURLException} to HTTP 400 Bad Request response.
+ *
+ * @author Martynas Jusevičius {@literal <martynas@atomgraph.com>}
+ */
+public class InternalURLExceptionMapper extends ExceptionMapperBase implements ExceptionMapper<InternalURLException>
+{
+
+    /**
+     * Constructs exception mapper from media type registry.
+     *
+     * @param mediaTypes registry of readable/writable media types
+     */
+    @Inject
+    public InternalURLExceptionMapper(MediaTypes mediaTypes)
+    {
+        super(mediaTypes);
+    }
+
+    @Override
+    public Response toResponse(InternalURLException ex)
+    {
+        Resource resource = toResource(ex, Response.Status.BAD_REQUEST,
+                    ResourceFactory.createResource("http://www.w3.org/2011/http-statusCodes#BadRequest"));
+
+        return getResponseBuilder(resource.getModel()).
+            status(Response.Status.BAD_REQUEST).
+            build();
+    }
+
+}