Sandboxed URL creation to prevent SSRF attacks

pom.xml

@@ -146,6 +146,7 @@
     <xstream.version>1.4.5</xstream.version>
     <!-- do not update necessary for lesson -->
     <zxcvbn.version>1.5.2</zxcvbn.version>
+    <versions.java-security-toolkit>1.1.1</versions.java-security-toolkit>
   </properties>
 
   <dependencyManagement>
@@ -248,6 +249,11 @@
         <artifactId>jruby</artifactId>
         <version>9.3.6.0</version>
       </dependency>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -393,6 +399,10 @@
       <artifactId>rest-assured</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
 
   <repositories>

src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java

@@ -22,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.ssrf;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
@@ -48,7 +50,7 @@ public AttackResult completed(@RequestParam String url) {
   protected AttackResult furBall(String url) {
     if (url.matches("http://ifconfig.pro")) {
       String html;
-      try (InputStream in = new URL(url).openStream()) {
+      try (InputStream in = Urls.create(url, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS).openStream()) {
         html =
             new String(in.readAllBytes(), StandardCharsets.UTF_8)
                 .replaceAll("\n", "<br>"); // Otherwise the \n gets escaped in the response