fix(#5452): add optional ssrf check mechanism#5464
Merged
Conversation
0e995c5 to
24010f7
Compare
cdprete
reviewed
Jun 20, 2026
cdprete
reviewed
Jun 20, 2026
1b68118 to
d15448b
Compare
cdprete
reviewed
Jul 5, 2026
cdprete
reviewed
Jul 5, 2026
503566f to
cfa49d4
Compare
# Conflicts: # spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/config/AdminServerWebConfiguration.java
…and custom InetAddressFilter
- Reject URISyntaxException in SsrfUrlValidator instead of silently accepting; a malformed URL is a potential bypass vector - Use @ConditionalOnMissingBean(name=) on ssrfInetAddressFilter to prevent collision with any user-defined InetAddressFilter bean - Add clarifying comment in InstanceWebProxy explaining why relative URIs are skipped (path-only, no host to validate) - Remove unused InetAddressFilter imports from InstanceWebProxy and reactive InstancesProxyController - Fix space-indentation and blank-line formatting in servlet InstancesProxyController (checkstyle / spring-javaformat) - Expand allowed-cidrs examples in docs to show single host, subnet, whole RFC 1918 classes, and IPv6 as separate copy-paste snippets - Add test: rejects_malformedUrl covers the URISyntaxException path
- Reject URLs where URI.getHost() is null but URI.getAuthority() is non-null: this covers octal (0251.0376.0251.0376) and Unicode digit hosts that java.net.URI cannot parse into a standard hostname. Without this guard, octal-encoded private IPs pass validation entirely. - Use authority != null instead of StringUtils.hasText() — getAuthority() is never an empty string, so the plain null-check is exact and clearer. - Add BypassAttempts test class covering: decimal-encoded IPs (resolved correctly by InetAddress), octal and Unicode (caught by the new guard), and uppercase scheme normalisation (SBA's own toLowerCase logic). Tests that only exercise JDK URI parsing or Spring Boot's InetAddressFilter internals were not added — those are tested by their respective owners.
- Add SsrfProtectionException(String, Throwable) and preserve the original URISyntaxException as cause for downstream analysis - Expose the SSRF InetAddressFilter bean name as a public constant (SSRF_INET_ADDRESS_FILTER_BEAN_NAME) for safe redefinition across releases - Move the isAbsolute() decision into SsrfUrlValidator via a validate(URI) overload; relative URIs are skipped inside the validator instead of at the call site in InstanceWebProxy - Add null-URI test coverage for the new overload
622959f to
fec0bf4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces opt-in protection against Server-Side Request Forgery (SSRF) attacks in Spring Boot Admin Server, focusing on validating and restricting instance registration URLs and proxy targets. It adds configuration options for enabling SSRF protection, customizing allowed IP ranges and schemes, and provides extension points for advanced use cases. Documentation is updated to explain the risks, configuration, and best practices.
SSRF Protection Feature:
healthUrl,managementUrl, andserviceUrlduring instance registration and proxying, blocking requests to private/internal addresses and non-HTTP(S) schemes. This is disabled by default and can be enabled via configuration. [1] [2]AdminServerProperties(ssrf-protection.enabled,allowed-cidrs,allowed-schemes) and supporting beans (InetAddressFilter,SsrfUrlValidator) for flexible address and scheme allowlisting. [1] [2] [3]InstanceRegistryand both servlet and reactiveInstancesProxyControllerto enforce SSRF validation at registration and proxy time. [1] [2] [3]Documentation Updates:
40-ssrf-protection.md) covering risks, configuration, extension, and integration with other security features.General/Other:
These changes significantly improve the security posture of Spring Boot Admin Server by providing robust, configurable defenses against SSRF attacks.
closes #5452