wiremock
diff --git a/‎src/main/java/com/github/tomakehurst/wiremock/common/NetworkAddressRange.java‎
Lines changed: 123 additions & 0 deletions b/‎src/main/java/com/github/tomakehurst/wiremock/common/NetworkAddressRange.java‎
Lines changed: 123 additions & 0 deletions
diff --git a/‎src/main/java/com/github/tomakehurst/wiremock/common/NetworkAddressRules.java‎
Lines changed: 64 additions & 0 deletions b/‎src/main/java/com/github/tomakehurst/wiremock/common/NetworkAddressRules.java‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎src/main/java/com/github/tomakehurst/wiremock/core/Options.java‎
Lines changed: 2 additions & 0 deletions b/‎src/main/java/com/github/tomakehurst/wiremock/core/Options.java‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/main/java/com/github/tomakehurst/wiremock/core/WireMockApp.java‎
Lines changed: 2 additions & 1 deletion b/‎src/main/java/com/github/tomakehurst/wiremock/core/WireMockApp.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/main/java/com/github/tomakehurst/wiremock/core/WireMockConfiguration.java‎
Lines changed: 21 additions & 9 deletions b/‎src/main/java/com/github/tomakehurst/wiremock/core/WireMockConfiguration.java‎
Lines changed: 21 additions & 9 deletions
diff --git a/‎src/main/java/com/github/tomakehurst/wiremock/http/ProxyResponseRenderer.java‎
Lines changed: 28 additions & 1 deletion b/‎src/main/java/com/github/tomakehurst/wiremock/http/ProxyResponseRenderer.java‎
Lines changed: 28 additions & 1 deletion
diff --git a/‎src/main/java/com/github/tomakehurst/wiremock/servlet/WarConfiguration.java‎
Lines changed: 5 additions & 0 deletions b/‎src/main/java/com/github/tomakehurst/wiremock/servlet/WarConfiguration.java‎
Lines changed: 5 additions & 0 deletions
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2022 Thomas Akehurst
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.github.tomakehurst.wiremock.common;
+
+import com.google.common.net.InetAddresses;
+import java.math.BigInteger;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.regex.Pattern;
+
+public abstract class NetworkAddressRange {
+
+  public static final NetworkAddressRange ALL = new All();
+
+  private static final Pattern SINGLE_IP =
+      Pattern.compile("\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}");
+  private static final Pattern IP_RANGE =
+      Pattern.compile(
+          "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}-\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}");
+
+  public static NetworkAddressRange of(String value) {
+    if (SINGLE_IP.matcher(value).matches()) {
+      return new SingleIp(value);
+    }
+
+    if (IP_RANGE.matcher(value).matches()) {
+      return new IpRange(value);
+    }
+
+    return new DomainNameWildcard(value);
+  }
+
+  public abstract boolean isIncluded(String testValue);
+
+  private static class SingleIp extends NetworkAddressRange {
+
+    private final InetAddress inetAddress;
+
+    private SingleIp(String ipAddress) {
+      this.inetAddress = parseIpAddress(ipAddress);
+    }
+
+    @Override
+    public boolean isIncluded(String testValue) {
+      return lookup(testValue).equals(inetAddress);
+    }
+  }
+
+  private static class IpRange extends NetworkAddressRange {
+
+    private final BigInteger start;
+    private final BigInteger end;
+
+    private IpRange(String ipRange) {
+      String[] parts = ipRange.split("-");
+      if (parts.length != 2) {
+        throw new InvalidInputException(Errors.single(18, ipRange + " is not a valid IP range"));
+      }
+      this.start = InetAddresses.toBigInteger(parseIpAddress(parts[0]));
+      this.end = InetAddresses.toBigInteger(parseIpAddress(parts[1]));
+    }
+
+    @Override
+    public boolean isIncluded(String testValue) {
+      InetAddress testValueAddress = lookup(testValue);
+      BigInteger intVal = InetAddresses.toBigInteger(testValueAddress);
+      return intVal.compareTo(start) >= 0 && intVal.compareTo(end) <= 0;
+    }
+  }
+
+  private static class DomainNameWildcard extends NetworkAddressRange {
+
+    private final Pattern namePattern;
+
+    private DomainNameWildcard(String namePattern) {
+      String nameRegex = namePattern.replace(".", "\\.").replace("*", ".+");
+      this.namePattern = Pattern.compile(nameRegex);
+    }
+
+    @Override
+    public boolean isIncluded(String testValue) {
+      return namePattern.matcher(testValue).matches();
+    }
+  }
+
+  private static class All extends NetworkAddressRange {
+
+    @Override
+    public boolean isIncluded(String testValue) {
+      return true;
+    }
+  }
+
+  private static InetAddress parseIpAddress(String ipAddress) {
+    if (!InetAddresses.isInetAddress(ipAddress)) {
+      throw new InvalidInputException(Errors.single(16, ipAddress + " is not a valid IP address"));
+    }
+
+    return lookup(ipAddress);
+  }
+
+  private static InetAddress lookup(String host) {
+    try {
+      return InetAddress.getByName(host);
+    } catch (UnknownHostException e) {
+      throw new InvalidInputException(
+          e, Errors.single(17, host + " is not a valid network address"));
+    }
+  }
+}
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2022 Thomas Akehurst
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.github.tomakehurst.wiremock.common;
+
+import static com.github.tomakehurst.wiremock.common.NetworkAddressRange.ALL;
+import static java.util.Collections.emptySet;
+
+import com.google.common.collect.ImmutableSet;
+import java.util.Set;
+
+public class NetworkAddressRules {
+
+  public static Builder builder() {
+    return new Builder();
+  }
+
+  private final Set<NetworkAddressRange> allowed;
+  private final Set<NetworkAddressRange> denied;
+
+  public static NetworkAddressRules ALLOW_ALL =
+      new NetworkAddressRules(ImmutableSet.of(ALL), emptySet());
+
+  public NetworkAddressRules(Set<NetworkAddressRange> allowed, Set<NetworkAddressRange> denied) {
+    this.allowed = allowed;
+    this.denied = denied;
+  }
+
+  public boolean isAllowed(String testValue) {
+    return allowed.stream().anyMatch(rule -> rule.isIncluded(testValue))
+        && denied.stream().noneMatch(rule -> rule.isIncluded(testValue));
+  }
+
+  public static class Builder {
+    private final ImmutableSet.Builder<NetworkAddressRange> allowed = ImmutableSet.builder();
+    private final ImmutableSet.Builder<NetworkAddressRange> denied = ImmutableSet.builder();
+
+    public Builder allow(String expression) {
+      allowed.add(NetworkAddressRange.of(expression));
+      return this;
+    }
+
+    public Builder deny(String expression) {
+      denied.add(NetworkAddressRange.of(expression));
+      return this;
+    }
+
+    public NetworkAddressRules build() {
+      return new NetworkAddressRules(allowed.build(), denied.build());
+    }
+  }
+}
@@ -111,4 +111,6 @@ enum ChunkedEncodingPolicy {
   boolean getDisableStrictHttpHeaders();
 
   DataTruncationSettings getDataTruncationSettings();
+
+  NetworkAddressRules getProxyTargetRules();
 }
@@ -177,7 +177,8 @@ public StubRequestHandler buildStubRequestHandler() {
                 globalSettingsHolder,
                 browserProxySettings.trustAllProxyTargets(),
                 browserProxySettings.trustedProxyTargets(),
-                options.getStubCorsEnabled()),
+                options.getStubCorsEnabled(),
+                options.getProxyTargetRules()),
             ImmutableList.copyOf(options.extensionsOfType(ResponseTransformer.class).values())),
         this,
         postServeActions,
 
@@ -121,6 +121,8 @@ public class WireMockConfiguration implements Options {
 
   private Limit responseBodySizeLimit = UNLIMITED;
 
+  private NetworkAddressRules proxyTargetRules = NetworkAddressRules.ALLOW_ALL;
+
   private MappingsSource getMappingsSource() {
     if (mappingsSource == null) {
       mappingsSource = new JsonFileMappingsSource(filesRoot.child(MAPPINGS_ROOT));
@@ -444,6 +446,22 @@ public WireMockConfiguration trustedProxyTargets(List<String> trustedProxyTarget
     return this;
   }
 
+  public WireMockConfiguration disableOptimizeXmlFactoriesLoading(
+      boolean disableOptimizeXmlFactoriesLoading) {
+    this.disableOptimizeXmlFactoriesLoading = disableOptimizeXmlFactoriesLoading;
+    return this;
+  }
+
+  public WireMockConfiguration maxLoggedResponseSize(int maxSize) {
+    this.responseBodySizeLimit = new Limit(maxSize);
+    return this;
+  }
+
+  public WireMockConfiguration limitProxyTargets(NetworkAddressRules proxyTargetRules) {
+    this.proxyTargetRules = proxyTargetRules;
+    return this;
+  }
+
   @Override
   public int portNumber() {
     return portNumber;
@@ -619,12 +637,6 @@ public boolean getDisableOptimizeXmlFactoriesLoading() {
     return disableOptimizeXmlFactoriesLoading;
   }
 
-  public WireMockConfiguration disableOptimizeXmlFactoriesLoading(
-      boolean disableOptimizeXmlFactoriesLoading) {
-    this.disableOptimizeXmlFactoriesLoading = disableOptimizeXmlFactoriesLoading;
-    return this;
-  }
-
   @Override
   public boolean getDisableStrictHttpHeaders() {
     return disableStrictHttpHeaders;
@@ -657,8 +669,8 @@ public BrowserProxySettings browserProxySettings() {
         .build();
   }
 
-  public WireMockConfiguration maxLoggedResponseSize(int maxSize) {
-    this.responseBodySizeLimit = new Limit(maxSize);
-    return this;
+  @Override
+  public NetworkAddressRules getProxyTargetRules() {
+    return proxyTargetRules;
   }
 }
@@ -19,15 +19,19 @@
 import static com.github.tomakehurst.wiremock.http.Response.response;
 import static java.net.HttpURLConnection.HTTP_INTERNAL_ERROR;
 
+import com.github.tomakehurst.wiremock.common.NetworkAddressRules;
 import com.github.tomakehurst.wiremock.common.ProxySettings;
 import com.github.tomakehurst.wiremock.common.ssl.KeyStoreSettings;
 import com.github.tomakehurst.wiremock.global.GlobalSettingsHolder;
 import com.github.tomakehurst.wiremock.stubbing.ServeEvent;
 import com.google.common.collect.ImmutableList;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.net.InetAddress;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.UnknownHostException;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
@@ -61,6 +65,8 @@ public class ProxyResponseRenderer implements ResponseRenderer {
   private final GlobalSettingsHolder globalSettingsHolder;
   private final boolean stubCorsEnabled;
 
+  private final NetworkAddressRules targetAddressRules;
+
   public ProxyResponseRenderer(
       ProxySettings proxySettings,
       KeyStoreSettings trustStoreSettings,
@@ -69,7 +75,8 @@ public ProxyResponseRenderer(
       GlobalSettingsHolder globalSettingsHolder,
       boolean trustAllProxyTargets,
       List<String> trustedProxyTargets,
-      boolean stubCorsEnabled) {
+      boolean stubCorsEnabled,
+      NetworkAddressRules targetAddressRules) {
     this.globalSettingsHolder = globalSettingsHolder;
     reverseProxyClient =
         HttpClientFactory.createClient(
@@ -93,11 +100,20 @@ public ProxyResponseRenderer(
     this.preserveHostHeader = preserveHostHeader;
     this.hostHeaderValue = hostHeaderValue;
     this.stubCorsEnabled = stubCorsEnabled;
+    this.targetAddressRules = targetAddressRules;
   }
 
   @Override
   public Response render(ServeEvent serveEvent) {
     ResponseDefinition responseDefinition = serveEvent.getResponseDefinition();
+    if (targetAddressProhibited(responseDefinition.getProxyUrl())) {
+      return response()
+          .status(500)
+          .headers(new HttpHeaders(new HttpHeader("Content-Type", "text/plain")))
+          .body("The target proxy address is denied in WireMock's configuration.")
+          .build();
+    }
+
     HttpUriRequest httpRequest = getHttpRequestFor(responseDefinition);
     addRequestHeaders(httpRequest, responseDefinition);
 
@@ -127,6 +143,17 @@ public Response render(ServeEvent serveEvent) {
     }
   }
 
+  private boolean targetAddressProhibited(String proxyUrl) {
+    String host = URI.create(proxyUrl).getHost();
+    try {
+      final InetAddress[] resolvedAddresses = InetAddress.getAllByName(host);
+      return !Arrays.stream(resolvedAddresses)
+          .allMatch(address -> targetAddressRules.isAllowed(address.getHostAddress()));
+    } catch (UnknownHostException e) {
+      return true;
+    }
+  }
+
   private Response proxyResponseError(String type, HttpUriRequest request, Exception e) {
     return response()
         .status(HTTP_INTERNAL_ERROR)
 
@@ -219,6 +219,11 @@ public DataTruncationSettings getDataTruncationSettings() {
     return DataTruncationSettings.DEFAULTS;
   }
 
+  @Override
+  public NetworkAddressRules getProxyTargetRules() {
+    return NetworkAddressRules.ALLOW_ALL;
+  }
+
   @Override
   public BrowserProxySettings browserProxySettings() {
     return BrowserProxySettings.DISABLED;
Original file line number	Diff line number	Diff line change
`@@ -111,4 +111,6 @@ enum ChunkedEncodingPolicy {`
`111`	`111`	`boolean getDisableStrictHttpHeaders();`
`112`	`112`
`113`	`113`	`DataTruncationSettings getDataTruncationSettings();`
	`114`	`+`
	`115`	`+ NetworkAddressRules getProxyTargetRules();`
`114`	`116`	`}`