Class InetAddressValidator
java.lang.Object
org.mockserver.proxyconfiguration.InetAddressValidator
Validates that the destination host of a forward or proxy action is not a
loopback, link-local, RFC 1918 private, or cloud metadata address. This
blocks server-side request forgery (SSRF) where an attacker registers an
expectation that forwards through MockServer to internal infrastructure.
Validation is opt-in via mockserver.forwardProxyBlockPrivateNetworks
(default false) because MockServer is most commonly used to mock services
running on localhost, Docker bridge networks, or Kubernetes service IPs.
-
Method Summary
Modifier and TypeMethodDescriptionstatic voidvalidateForwardTarget(Configuration configuration, String host) Validate a forward target.static voidvalidateForwardTarget(Configuration configuration, InetAddress address) Validate an already-resolved forward/relay target.
-
Method Details
-
validateForwardTarget
Validate a forward target. No-op if the feature is disabled. Throws IllegalArgumentException when the host is unresolvable or resolves to a blocked address range.- Parameters:
configuration- MockServer configuration (may be null to fall back to global properties)host- target host (may be a name or literal address)
-
validateForwardTarget
Validate an already-resolved forward/relay target. Runs the identical block checks asvalidateForwardTarget(Configuration, String)but on a concreteInetAddressrather than re-resolving a host string. This lets a caller validate and then connect to the same resolved address, closing the DNS-rebinding / TOCTOU window where a hostname could resolve to a benign address for the check and an internal address for the connect. No-op when the feature is disabled.- Parameters:
configuration- MockServer configuration (may be null to fall back to global properties)address- the concrete resolved target address (null is treated as nothing to check)
-