Add InetAddress filtering for client side SSRF protection #18498
Description
An application that makes HTTP requests to user-provided URL's needs to prevent malicious users from directing traffic to forbidden IP addresses (e.g. internal or external, RFC 1918 ranges, etc.) even if the requested hostname appears harmless to protect against SSRF/DNS rebinding issues.
It would be useful for an application to be able to configure restrictions on the target addresses an application is allowed to make requests to. This is best done at the at the level of resolved IP addresses.
HTTP client libraries include a DNS resolver mechanism that can be used to apply checks. What is needed is a common configuration and filtering mechanism to apply such checks to any client.
Spring Security already provides IpAddressMatcher for IP address matching. We can build on that to provide such a mechanism.
The actual code to plug this into specific HTTP client DNS resolvers could exist in Spring Boot, which already helps to configure client libraries.
Note that this has been a collaborative effort with @rwinch and the Google security team, and there are specific code changes in advanced preparation that will be pushed after 7.1 M1 is released next week.