Class InetAddressValidator

java.lang.Object
org.mockserver.proxyconfiguration.InetAddressValidator

public final class InetAddressValidator extends Object
Validates that the destination host of a forward or proxy action is not a loopback, link-local, RFC 1918 private, or cloud metadata address. This blocks server-side request forgery (SSRF) where an attacker registers an expectation that forwards through MockServer to internal infrastructure.

Validation is opt-in via mockserver.forwardProxyBlockPrivateNetworks (default false) because MockServer is most commonly used to mock services running on localhost, Docker bridge networks, or Kubernetes service IPs.

  • Method Details

    • validateForwardTarget

      public static void validateForwardTarget(Configuration configuration, String host)
      Validate a forward target. No-op if the feature is disabled. Throws IllegalArgumentException when the host is unresolvable or resolves to a blocked address range.
      Parameters:
      configuration - MockServer configuration (may be null to fall back to global properties)
      host - target host (may be a name or literal address)
    • validateForwardTarget

      public static void validateForwardTarget(Configuration configuration, InetAddress address)
      Validate an already-resolved forward/relay target. Runs the identical block checks as validateForwardTarget(Configuration, String) but on a concrete InetAddress rather than re-resolving a host string. This lets a caller validate and then connect to the same resolved address, closing the DNS-rebinding / TOCTOU window where a hostname could resolve to a benign address for the check and an internal address for the connect. No-op when the feature is disabled.
      Parameters:
      configuration - MockServer configuration (may be null to fall back to global properties)
      address - the concrete resolved target address (null is treated as nothing to check)