URLValidator usage fix

Author: namedgraph

http-tests/proxy/GET-proxied-internal-403.sh

@@ -17,7 +17,7 @@ add-agent-to-group.sh \
 
 # LNK-009: Test that internal Docker services are blocked via SSRF protection
 # Attempt to access the internal fuseki-admin SPARQL endpoint via the proxy
-# This should be blocked and return 403 Forbidden
+# This should be blocked and return 400 Bad Request
 
 http_status=$(curl -k -s -o /dev/null -w "%{http_code}" \
   -G \
@@ -26,8 +26,8 @@ http_status=$(curl -k -s -o /dev/null -w "%{http_code}" \
   --data-urlencode "uri=http://fuseki-admin:3030/ds" \
   "$END_USER_BASE_URL" || true)
 
-# Verify that access was forbidden (403)
-if [ "$http_status" != "403" ]; then
-    echo "Expected HTTP 403 Forbidden for internal service access, got: $http_status"
+# Verify that access was rejected (400)
+if [ "$http_status" != "400" ]; then
+    echo "Expected HTTP 400 Bad Request for internal service access, got: $http_status"
     exit 1
 fi

http-tests/proxy/GET-proxied-rfc1918-403.sh

@@ -25,8 +25,8 @@ http_status=$(curl -k -s -o /dev/null -w "%{http_code}" \
   --data-urlencode "uri=http://10.0.0.1:8080/test" \
   "$END_USER_BASE_URL" || true)
 
-if [ "$http_status" != "403" ]; then
-    echo "Expected HTTP 403 Forbidden for 10.0.0.1 access, got: $http_status"
+if [ "$http_status" != "400" ]; then
+    echo "Expected HTTP 400 Bad Request for 10.0.0.1 access, got: $http_status"
     exit 1
 fi
 
@@ -39,8 +39,8 @@ http_status=$(curl -k -s -o /dev/null -w "%{http_code}" \
   --data-urlencode "uri=http://172.16.0.1:8080/test" \
   "$END_USER_BASE_URL" || true)
 
-if [ "$http_status" != "403" ]; then
-    echo "Expected HTTP 403 Forbidden for 172.16.0.1 access, got: $http_status"
+if [ "$http_status" != "400" ]; then
+    echo "Expected HTTP 400 Bad Request for 172.16.0.1 access, got: $http_status"
     exit 1
 fi
 
@@ -53,7 +53,7 @@ http_status=$(curl -k -s -o /dev/null -w "%{http_code}" \
   --data-urlencode "uri=http://192.168.1.1:8080/test" \
   "$END_USER_BASE_URL" || true)
 
-if [ "$http_status" != "403" ]; then
-    echo "Expected HTTP 403 Forbidden for 192.168.1.1 access, got: $http_status"
+if [ "$http_status" != "400" ]; then
+    echo "Expected HTTP 400 Bad Request for 192.168.1.1 access, got: $http_status"
     exit 1
 fi

src/main/java/com/atomgraph/linkeddatahub/server/model/impl/ProxiedGraph.java

@@ -165,9 +165,6 @@ protected ProxiedGraph(@Context UriInfo uriInfo, @Context Request request, @Cont
     {
         super(uriInfo, request, httpHeaders, mediaTypes, uri, endpoint, query, accept, mode, system.getExternalClient(), httpServletRequest);
 
-        // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
-        if (uri != null) new URLValidator(uri).validate();
-
         this.uriInfo = uriInfo;
         this.application = application;
         this.service = service.get();
@@ -311,6 +308,8 @@ public Response get(WebTarget target, Invocation.Builder builder)
         }
 
         if (!getSystem().isEnableLinkedDataProxy()) throw new NotAllowedException("Linked Data proxy not enabled");
+        // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
+        new URLValidator(target.getUri()).validate();
 
         return super.get(target, builder);
     }
@@ -326,6 +325,8 @@ public Response get(WebTarget target, Invocation.Builder builder)
     public Response post(String sparqlQuery)
     {
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied");
+        // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
+        new URLValidator(getWebTarget().getUri()).validate();
 
         if (log.isDebugEnabled()) log.debug("POSTing SPARQL query to URI: {}", getWebTarget().getUri());
 
@@ -358,6 +359,8 @@ public Response post(String sparqlQuery)
     public Response postForm(String formData)
     {
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied");
+        // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
+        new URLValidator(getWebTarget().getUri()).validate();
 
         if (log.isDebugEnabled()) log.debug("POSTing form data to URI: {}", getWebTarget().getUri());
 
@@ -390,6 +393,8 @@ public Response postForm(String formData)
     public Response patch(String sparqlUpdate)
     {
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied");
+        // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
+        new URLValidator(getWebTarget().getUri()).validate();
 
         if (log.isDebugEnabled()) log.debug("PATCHing SPARQL update to URI: {}", getWebTarget().getUri());
 
@@ -423,6 +428,8 @@ public Response postMultipart(FormDataMultiPart multiPart)
     {
         if (!getSystem().isEnableLinkedDataProxy()) throw new NotAllowedException("Linked Data proxy not enabled");
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied"); // cannot throw Exception in constructor: https://github.com/eclipse-ee4j/jersey/issues/4436
+        // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
+        new URLValidator(getWebTarget().getUri()).validate();
 
         try (Response cr = getWebTarget().request().
             accept(getMediaTypes().getReadable(Model.class).toArray(jakarta.ws.rs.core.MediaType[]::new)).
@@ -445,6 +452,8 @@ public Response putMultipart(FormDataMultiPart multiPart)
     {
         if (!getSystem().isEnableLinkedDataProxy()) throw new NotAllowedException("Linked Data proxy not enabled");
         if (getWebTarget() == null) throw new NotFoundException("Resource URI not supplied"); // cannot throw Exception in constructor: https://github.com/eclipse-ee4j/jersey/issues/4436
+        // LNK-009: Validate that proxied URI is not internal/private (SSRF protection)
+        new URLValidator(getWebTarget().getUri()).validate();
 
         try (Response cr = getWebTarget().request().
                 accept(getMediaTypes().getReadable(Model.class).toArray(jakarta.ws.rs.core.MediaType[]::new)).