Constructor Detail

• RequestValidator

  public RequestValidator(Log log,
                          String peerB32,
                          Properties opts,
                          BlocklistManager blocklistManager)

  Creates a new RequestValidator.

  Parameters:

  log - the Log instance for logging validation events

  peerB32 - the Base32-encoded peer destination for logging

  opts - the tunnel client options for validation configuration

  blocklistManager - the BlocklistManager for logging blocked destinations; may be null

Method Detail

• buildInproxyRejectLog

  public String buildInproxyRejectLog(Map<String,List<String>> headers)

  Builds a detailed log message for inproxy rejection.

  This method extracts all relevant headers for logging purposes when an inproxy request is rejected.

  Parameters:

  headers - the HTTP request headers

  Returns:

  a formatted string suitable for logging

• getRefererForLog

  public String getRefererForLog(Map<String,List<String>> headers)

  Extracts the referer URL for logging purposes.

  Strips the "Referer: " prefix from the header value.

  Parameters:

  headers - the HTTP request headers

  Returns:

  the referer URL without the header prefix, or null if not available

• getUserAgentForCheck

  public String getUserAgentForCheck(Map<String,List<String>> headers)

  Extracts the user agent for blacklisting checks.

  Parameters:

  headers - the HTTP request headers

  Returns:

  the user agent string, or null if not present

• shouldRejectInproxy

  public boolean shouldRejectInproxy(Map<String,List<String>> headers)

  Checks if the request should be rejected based on inproxy headers.

  When the OPT_REJECT_INPROXY option is enabled, requests containing X-Forwarded-For, X-Forwarded-Server, Forwarded, or X-Forwarded-Host headers are rejected to prevent proxy abuse.

  Parameters:

  headers - the HTTP request headers

  Returns:

  true if the request should be rejected, false otherwise

• shouldRejectReferer

  public boolean shouldRejectReferer(Map<String,List<String>> headers)

  Checks if the request should be rejected based on referer header.

  When the OPT_REJECT_REFERER option is enabled, requests with absolute URIs (starting with http:// or https://) in the Referer header are rejected to prevent information leakage.

  Parameters:

  headers - the HTTP request headers

  Returns:

  true if the request should be rejected, false otherwise

• shouldRejectUserAgent

  public boolean shouldRejectUserAgent(Map<String,List<String>> headers)

  Checks if the request should be rejected based on user-agent header.

  When the OPT_REJECT_USER_AGENTS option is enabled, requests with blacklisted user agents are rejected. The blacklist is configured via the OPT_USER_AGENTS option as a comma-separated list.

  A special case is made for user agents starting with "MYOB" which are always allowed. Also, if the blacklist contains "none", requests without a User-Agent header are rejected.

  Parameters:

  headers - the HTTP request headers

  Returns:

  true if the request should be rejected, false otherwise

• validateHostname

  public RequestValidator.ValidationResult validateHostname(String hostname,
                                                            StringBuilder command)

  Validates a hostname from an HTTP request.

  This method checks for several security issues:

  • Attempts to access localhost or loopback addresses
  • DNS blocking (0.0.0.0 or :: responses)
  • Non-I2P/non-onion hostnames that resolve to private addresses

  Valid hostnames ending in .i2p or .onion are passed through without validation, as these are expected I2P/eepSite or Tor addresses.

  Parameters:

  hostname - the Host header value from the request; may be null

  command - the full request command for blocklist checking

  Returns:

  a ValidationResult containing the validation outcome and any error response