org.mockserver.proxyconfiguration.InetAddressValidator

public final class InetAddressValidator extends Object

Validates that the destination host of a forward or proxy action is not a loopback, link-local, RFC 1918 private, or cloud metadata address. This blocks server-side request forgery (SSRF) where an attacker registers an expectation that forwards through MockServer to internal infrastructure.

Validation is opt-in via mockserver.forwardProxyBlockPrivateNetworks (default false) because MockServer is most commonly used to mock services running on localhost, Docker bridge networks, or Kubernetes service IPs.

Method Summary

Modifier and Type

Method

Description

static void

validateForwardTarget(Configuration configuration, String host)

Validate a forward target.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details
- validateForwardTarget
  
  public static void validateForwardTarget(Configuration configuration, String host)
  
  Validate a forward target. No-op if the feature is disabled. Throws IllegalArgumentException when the host is unresolvable or resolves to a blocked address range.
  
  Parameters:
  
  configuration - MockServer configuration (may be null to fall back to global properties)
  
  host - target host (may be a name or literal address)

Class InetAddressValidator

Method Summary

Methods inherited from class java.lang.Object

Method Details

validateForwardTarget