3.5 ssrf cp () ()

* Adds blocklist of ip addresses for LOAD CSV ()

(cherry picked from commit ef528de323228e8fb1d74d931d5b3f4a4907e21f)

Follows redirect url to resolve blocked LOAD CSV urls ()

(cherry picked from commit fd2a6ce4a1902d40170d57c86cd5315691e166f4)

* Revapi ignore cypher_ip_blocklist
Co-authored-by: NNacho Cordón <ncordon@users.noreply.github.com>

community/bolt/LICENSES.txt

@@ -9,6 +9,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/bolt/NOTICE.txt

@@ -31,6 +31,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/command-line/LICENSES.txt

@@ -6,6 +6,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 Apache Software License, Version 2.0
   Apache Commons Lang
   Apache Commons Text
+  IPAddress
   Lucene Core
   Netty/All-in-One
 ------------------------------------------------------------------------------

community/command-line/NOTICE.txt

@@ -28,6 +28,7 @@ Third-party licenses
 Apache Software License, Version 2.0
   Apache Commons Lang
   Apache Commons Text
+  IPAddress
   Lucene Core
   Netty/All-in-One
 

community/community-it/algo-it/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/algo-it/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/bolt-it/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/bolt-it/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/community-it/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/community-it/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/consistency-it/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/consistency-it/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/cypher-it/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/cypher-it/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/dbms-it/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/dbms-it/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/import-it/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/import-it/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/index-it/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/index-it/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/it-test-support/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/it-test-support/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/kernel-it/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/community-it/kernel-it/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/configuration/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
 ------------------------------------------------------------------------------
 
                                  Apache License

community/configuration/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
 
 Eclipse Distribution License - v 1.0
   Eclipse Collections API

community/configuration/pom.xml

@@ -86,5 +86,10 @@ the relevant Commercial Agreement.
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.github.seancfoley</groupId>
+            <artifactId>ipaddress</artifactId>
+            <version>5.3.3</version>
+        </dependency>
     </dependencies>
 </project>

community/consistency-check/LICENSES.txt

@@ -7,6 +7,7 @@ Apache Software License, Version 2.0
   Apache Commons Compress
   Apache Commons Lang
   Apache Commons Text
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/consistency-check/NOTICE.txt

@@ -29,6 +29,7 @@ Apache Software License, Version 2.0
   Apache Commons Compress
   Apache Commons Lang
   Apache Commons Text
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/cypher/acceptance-spec-suite/LICENSES.txt

@@ -9,6 +9,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/cypher/acceptance-spec-suite/NOTICE.txt

@@ -31,6 +31,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/cypher/compatibility-spec-suite/LICENSES.txt

@@ -9,6 +9,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/cypher/compatibility-spec-suite/NOTICE.txt

@@ -31,6 +31,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/cypher/cypher/LICENSES.txt

@@ -9,6 +9,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/cypher/cypher/NOTICE.txt

@@ -31,6 +31,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/cypher/expression-evaluator/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
   parboiled-core

community/cypher/expression-evaluator/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
   parboiled-core

community/cypher/interpreted-runtime/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
   parboiled-core

community/cypher/interpreted-runtime/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
   parboiled-core

community/cypher/runtime-util/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
   parboiled-core

community/cypher/runtime-util/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
   parboiled-core

community/data-collector/LICENSES.txt

@@ -9,6 +9,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/data-collector/NOTICE.txt

@@ -31,6 +31,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/dbms/LICENSES.txt

@@ -6,6 +6,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 Apache Software License, Version 2.0
   Apache Commons Compress
   Apache Commons Text
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/dbms/NOTICE.txt

@@ -28,6 +28,7 @@ Third-party licenses
 Apache Software License, Version 2.0
   Apache Commons Compress
   Apache Commons Text
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/fulltext-index/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/fulltext-index/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/graph-algo/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
 ------------------------------------------------------------------------------

community/graph-algo/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
 

community/import-tool/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/import-tool/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/kernel/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
 ------------------------------------------------------------------------------

community/kernel/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
 

community/kernel/src/main/java/org/neo4j/graphdb/factory/GraphDatabaseSettings.java

@@ -19,6 +19,8 @@
  */
 package org.neo4j.graphdb.factory;
 
+import inet.ipaddr.IPAddressString;
+
 import java.io.File;
 import java.time.Duration;
 import java.time.ZoneId;
@@ -55,6 +57,7 @@ import static org.neo4j.kernel.configuration.Settings.BOOLEAN;
 import static org.neo4j.kernel.configuration.Settings.BYTES;
 import static org.neo4j.kernel.configuration.Settings.DEFAULT;
 import static org.neo4j.kernel.configuration.Settings.DOUBLE;
+import static org.neo4j.kernel.configuration.Settings.CIDR_IP;
 import static org.neo4j.kernel.configuration.Settings.DURATION;
 import static org.neo4j.kernel.configuration.Settings.FALSE;
 import static org.neo4j.kernel.configuration.Settings.INTEGER;
@@ -111,6 +114,15 @@ public class GraphDatabaseSettings implements LoadableConfig
     public static final Setting<File> neo4j_home =
             setting( "unsupported.dbms.directories.neo4j_home", PATH, NO_DEFAULT );
 
+    /**
+     * LOAD CSV and apoc.load.json input URI restrictions
+     */
+    @Internal
+    @Description( "A list of CIDR-notation IPv4 or IPv6 addresses to block when accessing URLs." +
+            "This list is checked when LOAD CSV or apoc.load.json is called." )
+    public static final Setting<List<IPAddressString>> cypher_ip_blocklist = setting(
+            "unsupported.dbms.cypher_ip_blocklist", list( ",", CIDR_IP ), "" );
+
     /**
      * @deprecated This setting is deprecated and will be removed in 4.0.
      */

community/kernel/src/main/java/org/neo4j/kernel/configuration/Settings.java

@@ -19,6 +19,8 @@
  */
 package org.neo4j.kernel.configuration;
 
+import inet.ipaddr.AddressStringException;
+import inet.ipaddr.IPAddressString;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 
@@ -193,7 +195,7 @@ public class Settings
      * @param <T> the concrete type of the setting.
      */
     @Nonnull
-    public static <T> Setting<T> setting( @Nonnull final String name, @Nonnull final Function<String,T> parser,
+    public static <T> Setting<T> setting( @Nonnull final String name, @Nonnull final Function<String, T> parser,
             @Nullable final String defaultValue )
     {
         return new SettingBuilder<>( name, parser, defaultValue ).build();
@@ -521,6 +523,30 @@ public class Settings
         }
     };
 
+    public static final Function<String, IPAddressString> CIDR_IP = new Function<String, IPAddressString>()
+    {
+        @Override
+        public IPAddressString apply( String value )
+        {
+            IPAddressString ipAddress = new IPAddressString( value.trim() );
+            try
+            {
+                ipAddress.validate();
+            }
+            catch ( AddressStringException e )
+            {
+                throw new IllegalArgumentException( format( "'%s' is not a valid CIDR ip", value ), e );
+            }
+            return ipAddress;
+        }
+
+        @Override
+        public String toString()
+        {
+            return "an ip with subnet in CDIR format. e.g. 127.168.0.1/8";
+        }
+    };
+
     public static final Function<String,Duration> DURATION = new Function<String, Duration>()
     {
         @Override

community/kernel/src/main/java/org/neo4j/kernel/impl/security/URLAccessRules.java

@@ -44,6 +44,13 @@ public class URLAccessRules
         return FILE_ACCESS;
     }
 
+    private static final URLAccessRule WEB_ACCESS = new WebURLAccessRule();
+
+    public static URLAccessRule webAccess()
+    {
+        return WEB_ACCESS;
+    }
+
     public static URLAccessRule combined( final Map<String,URLAccessRule> urlAccessRules )
     {
         return ( config, url ) ->

community/kernel/src/main/java/org/neo4j/kernel/impl/security/WebURLAccessRule.java

+/*
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [http://neo4j.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Neo4j is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.neo4j.kernel.impl.security;
+
+import inet.ipaddr.IPAddressString;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.InetAddress;
+import java.net.URL;
+import java.util.List;
+
+import org.neo4j.graphdb.config.Configuration;
+import org.neo4j.graphdb.factory.GraphDatabaseSettings;
+import org.neo4j.graphdb.security.URLAccessRule;
+import org.neo4j.graphdb.security.URLAccessValidationError;
+
+public class WebURLAccessRule implements URLAccessRule
+{
+    public static void checkNotBlocked( URL url, List<IPAddressString> blockedIpRanges ) throws Exception
+    {
+        InetAddress inetAddress = InetAddress.getByName( url.getHost() );
+
+        for ( IPAddressString blockedIpRange : blockedIpRanges )
+        {
+            if ( blockedIpRange.contains( new IPAddressString( inetAddress.getHostAddress() ) ) )
+            {
+                throw new URLAccessValidationError( "access to " + inetAddress + " is blocked via the configuration property "
+                                                    + GraphDatabaseSettings.cypher_ip_blocklist.name() );
+            }
+        }
+    }
+
+    private static URL checkUrlIncludingHoops( URL url, List<IPAddressString> blockedIpRanges ) throws Exception
+    {
+        URL result = url;
+        boolean isRedirect;
+
+        do
+        {
+            // We need to validate each intermediate url if there are redirects.
+            // Otherwise, we could have situations like an internal ip, e.g. 10.0.0.1
+            // is banned in the config, but it redirects to another different internal ip
+            // and we would still have a security hole
+            checkNotBlocked( result, blockedIpRanges );
+            HttpURLConnection con = (HttpURLConnection) result.openConnection();
+            con.setInstanceFollowRedirects( false );
+            con.connect();
+            con.getInputStream();
+            isRedirect = con.getResponseCode() >= 300 && con.getResponseCode() < 400;
+
+            if ( isRedirect )
+            {
+                String location = con.getHeaderField( "Location" );
+
+                if ( location == null )
+                {
+                    throw new IOException( "URL responded with a redirect but the location header was null" );
+                }
+
+                // If the path is relative, we need to adjust it with respect to the original url
+                if ( location.startsWith( "/" ) )
+                {
+                    location = result.getProtocol() + "://" + result.getAuthority() + location;
+                }
+                result = new URL( location );
+            }
+
+            con.disconnect();
+        }
+        while ( isRedirect );
+
+        return result;
+    }
+
+    @Override
+    public URL validate( Configuration config, URL url ) throws URLAccessValidationError
+    {
+        List<IPAddressString> blockedIpRanges = config.get( GraphDatabaseSettings.cypher_ip_blocklist );
+        String host = url.getHost();
+        if ( !blockedIpRanges.isEmpty() && host != null && !host.isEmpty() )
+        {
+            try
+            {
+                checkUrlIncludingHoops( url, blockedIpRanges );
+            }
+            catch ( Exception e )
+            {
+                throw new URLAccessValidationError( "Unable to verify access to " + host + ". Cause: " + e.getMessage() );
+            }
+        }
+        return url;
+    }
+}

community/kernel/src/test/java/org/neo4j/kernel/configuration/SettingsTest.java

@@ -19,6 +19,7 @@
  */
 package org.neo4j.kernel.configuration;
 
+import inet.ipaddr.IPAddressString;
 import org.junit.jupiter.api.Test;
 
 import java.io.File;
@@ -42,9 +43,11 @@ import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.greaterThan;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.nullValue;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.neo4j.helpers.collection.MapUtil.stringMap;
+import static org.neo4j.kernel.configuration.Settings.CIDR_IP;
 import static org.neo4j.kernel.configuration.Settings.DURATION;
 import static org.neo4j.kernel.configuration.Settings.INTEGER;
 import static org.neo4j.kernel.configuration.Settings.LONG;
@@ -261,6 +264,25 @@ class SettingsTest
         assertThat( exception.getMessage(), containsString( "Unrecognized unit 'gigaseconds'" ) );
     }
 
+    @Test
+    void testCidrIp()
+    {
+        Setting<IPAddressString> setting = buildSetting( "foo.bar", CIDR_IP ).build();
+        assertEquals( new IPAddressString( "1.1.1.0/8" ), setting.apply( map( stringMap( "foo.bar", "1.1.1.0/8" ) ) ) );
+        assertThrows( InvalidSettingException.class, () -> setting.apply( map( stringMap( "foo.bar", "garbage" ) ) ) );
+    }
+
+    @Test
+    void testCidrIpList()
+    {
+        Setting<List<IPAddressString>> setting = setting( "foo.bar", list( ",", CIDR_IP ), "" );
+        assertEquals( Arrays.asList( new IPAddressString( "1.1.1.0/8" ) ), setting.apply( map( stringMap( "foo.bar", "1.1.1.0/8" ) ) ) );
+        assertEquals( Arrays.asList( new IPAddressString( "1.1.1.0/8" ), new IPAddressString( "124.0.255.255/1" ) ),
+                setting.apply( map( stringMap( "foo.bar", "1.1.1.0/8,124.0.255.255/1" ) ) ) );
+        assertEquals( Arrays.asList() , setting.apply( map( stringMap( "foo.bar", "" ) ) ) );
+        assertThrows( InvalidSettingException.class, () -> setting.apply( map( stringMap( "foo.bar", "garbage" ) ) ) );
+    }
+
     @Test
     void testDefault()
     {

community/kernel/src/test/java/org/neo4j/kernel/impl/security/WebURLAccessRuleTest.java

+/*
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [http://neo4j.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Neo4j is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.neo4j.kernel.impl.security;
+
+import org.junit.jupiter.api.Test;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.List;
+
+import org.neo4j.kernel.configuration.Config;
+import org.neo4j.graphdb.factory.GraphDatabaseSettings;
+import org.neo4j.graphdb.security.URLAccessValidationError;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.neo4j.helpers.collection.MapUtil.stringMap;
+
+class WebURLAccessRuleTest
+{
+    @Test
+    void shouldThrowWhenUrlIsWithinBlockedRange() throws MalformedURLException
+    {
+        final List<String> urlAddresses = Arrays.asList( "http://localhost/test.csv", "https://localhost/test.csv", "ftp://localhost/test.csv", "http://[::1]/test.csv" );
+
+        for ( String urlAddress : urlAddresses )
+        {
+            final URL url = new URL( urlAddress );
+
+            //set the config
+            final Config config = Config.defaults( stringMap( GraphDatabaseSettings.cypher_ip_blocklist.name(), "127.0.0.0/8,0:0:0:0:0:0:0:1/8"));
+
+            //execute the query
+            final URLAccessValidationError error = assertThrows( URLAccessValidationError.class, () ->
+                    URLAccessRules.webAccess().validate( config, url ) );
+
+            //assert that the validation fails
+            assertThat( error.getMessage(), containsString( "blocked via the configuration property unsupported.dbms.cypher_ip_blocklist" ));
+        }
+    }
+
+    @Test
+    void validationShouldPassWhenUrlIsNotWithinBlockedRange() throws MalformedURLException, URLAccessValidationError
+    {
+        final List<String> urlAddresses = Arrays.asList( "http://localhost/test.csv", "https://localhost/test.csv", "ftp://localhost/test.csv", "http://[::1]/test.csv" );
+
+        for ( String urlAddress : urlAddresses )
+        {
+            final URL url = new URL( urlAddress );
+
+            //set the config
+            final Config config = Config.defaults();
+
+            //execute the query
+            final URL result = URLAccessRules.webAccess().validate( config, url );
+
+            //assert that the validation passes
+            assert result == url;
+        }
+    }
+
+    @Test
+    void shouldWorkWithNonRangeIps() throws MalformedURLException
+    {
+        final URL url = new URL( "http://localhost/test.csv" );
+
+        //set the config
+        final Config config = Config.defaults( stringMap( GraphDatabaseSettings.cypher_ip_blocklist.name(), "127.0.0.1"));
+
+        //execute the query
+        final URLAccessValidationError error = assertThrows( URLAccessValidationError.class, () ->
+                URLAccessRules.webAccess().validate( config, url ) );
+
+        //assert that the validation fails
+        assertThat( error.getMessage(), containsString( "blocked via the configuration property unsupported.dbms.cypher_ip_blocklist" ));
+    }
+
+    @Test
+    void shouldFailForInvalidIps() throws Exception
+    {
+        // The .invalid domain is always invalid, according to https://datatracker.ietf.org/doc/html/rfc2606#section-2
+        final URL url = new URL( "http://always.invalid/test.csv" );
+
+        //set the config
+        final Config config = Config.defaults( stringMap( GraphDatabaseSettings.cypher_ip_blocklist.name(), "127.0.0.1"));
+
+        //execute the query
+        final URLAccessValidationError error = assertThrows( URLAccessValidationError.class, () ->
+                URLAccessRules.webAccess().validate( config, url ) );
+
+        //assert that the validation fails
+        assertThat( error.getMessage(), containsString( "Unable to verify access to always.invalid" ));
+    }
+}

community/lucene-index/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/lucene-index/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene codecs
   Lucene Common Analyzers
   Lucene Core

community/neo4j-community/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/neo4j-community/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/neo4j-harness/LICENSES.txt

@@ -18,6 +18,7 @@ Apache Software License, Version 2.0
   ConcurrentLinkedHashMap
   error-prone annotations
   fastinfoset
+  IPAddress
   Jackson module: Old JAXB Annotations (javax.xml.bind)
   Jackson-annotations
   Jackson-core

community/neo4j-harness/NOTICE.txt

@@ -40,6 +40,7 @@ Apache Software License, Version 2.0
   ConcurrentLinkedHashMap
   error-prone annotations
   fastinfoset
+  IPAddress
   Jackson module: Old JAXB Annotations (javax.xml.bind)
   Jackson-annotations
   Jackson-core

community/neo4j/LICENSES.txt

@@ -10,6 +10,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/neo4j/NOTICE.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   Caffeine cache
   ConcurrentLinkedHashMap
   error-prone annotations
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/neo4j/src/main/java/org/neo4j/graphdb/facade/GraphDatabaseDependencies.java

@@ -64,9 +64,9 @@ public class GraphDatabaseDependencies implements GraphDatabaseFacadeFactory.Dep
                 getKernelExtensions(Service.load( KernelExtensionFactory.class ).iterator()));
 
         ImmutableMap<String,URLAccessRule> urlAccessRules = ImmutableMapFactoryImpl.INSTANCE.of(
-                "http", URLAccessRules.alwaysPermitted(),
-                "https", URLAccessRules.alwaysPermitted(),
-                "ftp", URLAccessRules.alwaysPermitted(),
+                "http", URLAccessRules.webAccess(),
+                "https", URLAccessRules.webAccess(),
+                "ftp", URLAccessRules.webAccess(),
                 "file", URLAccessRules.fileAccess()
         );
 

community/push-to-cloud/LICENSES.txt

@@ -7,6 +7,7 @@ Apache Software License, Version 2.0
   Apache Commons Compress
   Apache Commons Lang
   Apache Commons Text
+  IPAddress
   Jackson-annotations
   Jackson-core
   jackson-databind

community/push-to-cloud/NOTICE.txt

@@ -20,6 +20,7 @@ Apache Software License, Version 2.0
   Apache Commons Compress
   Apache Commons Lang
   Apache Commons Text
+  IPAddress
   Jackson-annotations
   Jackson-core
   jackson-databind

community/security/LICENSES.txt

@@ -7,6 +7,7 @@ Apache Software License, Version 2.0
   Apache Commons Compress
   Apache Commons Lang
   Apache Commons Text
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/security/NOTICE.txt

@@ -29,6 +29,7 @@ Apache Software License, Version 2.0
   Apache Commons Compress
   Apache Commons Lang
   Apache Commons Text
+  IPAddress
   jPowerShell
   jProcesses
   Lucene codecs

community/server-api/LICENSES.txt

@@ -8,6 +8,7 @@ Apache Software License, Version 2.0
   Apache Commons Lang
   Commons Lang
   Commons Logging
+  IPAddress
   Lucene Core
   Netty/All-in-One
 ------------------------------------------------------------------------------

community/server-api/NOTICE.txt

@@ -30,6 +30,7 @@ Apache Software License, Version 2.0
   Apache Commons Lang
   Commons Lang
   Commons Logging
+  IPAddress
   Lucene Core
   Netty/All-in-One
 

community/server-plugin-test/LICENSES.txt

@@ -15,6 +15,7 @@ Apache Software License, Version 2.0
   ConcurrentLinkedHashMap
   error-prone annotations
   fastinfoset
+  IPAddress
   Jackson module: Old JAXB Annotations (javax.xml.bind)
   Jackson-annotations
   Jackson-core

community/server-plugin-test/NOTICE.txt

@@ -37,6 +37,7 @@ Apache Software License, Version 2.0
   ConcurrentLinkedHashMap
   error-prone annotations
   fastinfoset
+  IPAddress
   Jackson module: Old JAXB Annotations (javax.xml.bind)
   Jackson-annotations
   Jackson-core

community/server/LICENSES.txt

@@ -15,6 +15,7 @@ Apache Software License, Version 2.0
   ConcurrentLinkedHashMap
   error-prone annotations
   fastinfoset
+  IPAddress
   Jackson module: Old JAXB Annotations (javax.xml.bind)
   Jackson-annotations
   Jackson-core

community/server/NOTICE.txt

@@ -37,6 +37,7 @@ Apache Software License, Version 2.0
   ConcurrentLinkedHashMap
   error-prone annotations
   fastinfoset
+  IPAddress
   Jackson module: Old JAXB Annotations (javax.xml.bind)
   Jackson-annotations
   Jackson-core

community/udc/LICENSES.txt

@@ -5,6 +5,7 @@ libraries. For an overview of the licenses see the NOTICE.txt file.
 ------------------------------------------------------------------------------
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
 ------------------------------------------------------------------------------

community/udc/NOTICE.txt

@@ -27,6 +27,7 @@ Third-party licenses
 
 Apache Software License, Version 2.0
   Apache Commons Lang
+  IPAddress
   Lucene Core
   Netty/All-in-One
 

packaging/standalone/LICENSES.txt

@@ -32,6 +32,7 @@ Apache Software License, Version 2.0
   firebase
   forever-agent
   grpc
+  IPAddress
   long
   Lucene codecs
   Lucene Common Analyzers

packaging/standalone/NOTICE.txt

@@ -48,6 +48,7 @@ Apache Software License, Version 2.0
   firebase
   forever-agent
   grpc
+  IPAddress
   long
   Lucene codecs
   Lucene Common Analyzers

packaging/standalone/standalone-community/src/main/distribution/text/community/LICENSES.txt

@@ -42,6 +42,7 @@ Apache Software License, Version 2.0
   firebase
   forever-agent
   grpc
+  IPAddress
   Jackson module: Old JAXB Annotations (javax.xml.bind)
   Jackson-annotations
   Jackson-core

packaging/standalone/standalone-community/src/main/distribution/text/community/NOTICE.txt

@@ -64,6 +64,7 @@ Apache Software License, Version 2.0
   firebase
   forever-agent
   grpc
+  IPAddress
   Jackson module: Old JAXB Annotations (javax.xml.bind)
   Jackson-annotations
   Jackson-core

pom.xml

@@ -271,6 +271,7 @@
                       <item>org\.neo4j\.server\.rest\.repr\.RepresentationType</item>
                       <item>org\.neo4j\.server\.rest\.repr\.ValueRepresentation</item>
                       <item>org\.neo4j\.server\.helpers\.PropertyTypeDispatcher</item>
+                      <item>org\.neo4j\.helpers\.PortBindException</item>
                     </exclude>
                   </classes>
                   <packages>
@@ -347,6 +348,11 @@
                     <new>field org.neo4j.graphdb.factory.GraphDatabaseSettings.log_inconsistent_data_deletion</new>
                     <justification>Adding an internal setting for logging of inconsistent data on delete.</justification>
                   </item>
+                  <item>
+                    <code>java.field.addedStaticField</code>
+                    <new>field org.neo4j.graphdb.factory.GraphDatabaseSettings.cypher_ip_blocklist</new>
+                    <justification>Adding an internal setting for blocking IP ranges when making http requests.</justification>
+                  </item>
                   <item>
                     <code>java.annotation.attributeValueChanged</code>
                     <new>field org.neo4j.graphdb.factory.GraphDatabaseSettings.query_statistics_divergence_threshold</new>
@@ -357,6 +363,11 @@
                     <new>field org.neo4j.graphdb.factory.GraphDatabaseSettings.log_queries_detailed_time_logging_enabled</new>
                     <justification>Correcting setting description for documentation</justification>
                   </item>
+                  <item>
+                    <code>java.method.finalMethodAddedToNonFinalClass</code>
+                    <new>method void java.lang.Throwable::addSuppressed(java.lang.Throwable) @ org.neo4j.helpers.PortBindException</new>
+                    <justification>Correcting setting description for documentation</justification>
+                  </item>
               </revapi.ignore>
               <revapi.semver.ignore>
                 <enabled>true</enabled>