Fix URL validator incorrectly blocking domains starting with 'fd' or 'fc'

[Copilot]

Describe your changes:

The URL validator's SSRF protection regex was rejecting legitimate Okta domains like fdxxx.okta.com because the IPv6 private address pattern [fF][cCdD] matched any hostname starting with "fd" or "fc".

Changes:

• Updated PRIVATE_IP_PATTERN to require IPv6 format markers (colons) after prefixes: \[?[fF][cCdD][0-9a-fA-F]{0,2}:
• Added bracket support for IPv6 URLs: [fd00::1] and [::1]
• Fixed fe80 link-local range to fe80-febf
• Added null/empty host validation
• Created URLValidatorTest with 9 test cases covering legitimate domains and all private IP ranges

Pattern comparison:

// Before: Matched domain names incorrectly
Pattern.compile("...|[fF][cCdD]|...");  
// fdxxx.okta.com → BLOCKED ❌

// After: Matches only IPv6 addresses
Pattern.compile("...|\[?[fF][cCdD][0-9a-fA-F]{0,2}:|...");
// fdxxx.okta.com → ALLOWED ✅
// [fd00::1] → BLOCKED ✅

SSRF protection unchanged: all private IPv4/IPv6 ranges still blocked.

Type of change:

• Bug fix

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• I have added a test that covers the exact scenario we are fixing. For complex issues, comment the issue number in the test for future reference.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dev-96705996-admin.okta.com
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java -Xmx1G -jar /home/REDACTED/work/OpenMetadata/OpenMetadata/openmetadata-service/target/surefire/surefirebooter-20260126151826724_3.jar /home/REDACTED/work/OpenMetadata/OpenMetadata/openmetadata-service/target/surefire 2026-01-26T15-18-26_471-jvmRun1 surefire-20260126151826724_1tmp surefire_0-20260126151826724_2tmp lidateUrl ecoratorTest.jav--norc /home/REDACTED/.lo--noprofile grep -l lidateUrl a/sdk/BaseSDKTest.java ndor/bin/grep eps/opensearch-dbash t.java ndor/bin/grep grep (dns block)
• dev-example.auth0.com
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java -Xmx1G -jar /home/REDACTED/work/OpenMetadata/OpenMetadata/openmetadata-service/target/surefire/surefirebooter-20260126151945913_3.jar /home/REDACTED/work/OpenMetadata/OpenMetadata/openmetadata-service/target/surefire 2026-01-26T15-19-45_703-jvmRun1 surefire-20260126151945913_1tmp surefire_0-20260126151945913_2tmp lidateUrl ntegrationTest.jrev-parse rgo/bin/grep grep -l lidateUrl test/java/org/openmetadata/operator/unit/CronOMJobReconcilerTest.java /home/REDACTED/.local/bin/grep lidateUrl andlerTest.java /home/REDACTED/.lo. grep (dns block)
• invalid.com
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java -Xmx1G -jar /home/REDACTED/work/OpenMetadata/OpenMetadata/openmetadata-service/target/surefire/surefirebooter-20260126151945913_3.jar /home/REDACTED/work/OpenMetadata/OpenMetadata/openmetadata-service/target/surefire 2026-01-26T15-19-45_703-jvmRun1 surefire-20260126151945913_1tmp surefire_0-20260126151945913_2tmp lidateUrl ntegrationTest.jrev-parse rgo/bin/grep grep -l lidateUrl test/java/org/openmetadata/operator/unit/CronOMJobReconcilerTest.java /home/REDACTED/.local/bin/grep lidateUrl andlerTest.java /home/REDACTED/.lo. grep (dns block)
• repository.apache.org
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher test -Dtest=URLValidatorTest -pl openmetadata-service lidateUrl lModelMockTest.java nfig/composer/vendor/bin/grep lidateUrl TClientIntegrati--unit=collect-logs.scope nfig/composer/ve--slice=azure-walinuxagent-logcollector.slice grep (dns block)
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher compile -pl openmetadata-service -l lidateUrl t.java ep lidateUrl java ep grep (dns block)
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher clean install -DskipTests -pl openmetadata-shaded-deps/elasticsearch-dep,openmetadata-shaded-deps/opensearch-dep,openmetadata-sdk,openmetadata-service -am rgo/bin/grep lidateUrl yTest.java rgo/bin/grep grep (dns block)
• s3.amazonaws.com
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher test -Dtest=URLValidatorTest -pl openmetadata-service lidateUrl lModelMockTest.java nfig/composer/vendor/bin/grep lidateUrl TClientIntegrati--unit=collect-logs.scope nfig/composer/ve--slice=azure-walinuxagent-logcollector.slice grep (dns block)
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher compile -pl openmetadata-service -l lidateUrl t.java ep lidateUrl java ep grep (dns block)
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata org.codehaus.plexus.classworlds.launcher.Launcher clean install -DskipTests -pl openmetadata-shaded-deps/elasticsearch-dep,openmetadata-shaded-deps/opensearch-dep,openmetadata-sdk,openmetadata-service -am rgo/bin/grep lidateUrl yTest.java rgo/bin/grep grep (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>OIDC Discovery URI validation</issue_title>
<issue_description>Affected module
UI

Describe the bug
URL Validation error when I tried to set SSO config on OKTA :
Domain validation failed: Invalid or unsafe URL: https://fdxxx.okta.com/.well-known/openid-configuration

To Reproduce

Base url like https://fd* trhow the error

Expected behavior
Can use my real OIDC Discovery URI

Version:

• Python version: 3.10
• OpenMetadata version: [e.g. 1.11.5]
• OpenMetadata Ingestion package version: [e.g. openmetadata-ingestion[docker]==1.11.5]
  </issue_description>

<agent_instructions>Update URL validation to allow pattern like https://fd* or any other valid URLs</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes OIDC Discovery URI validation #25412

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[gitar-bot]

Code Review ⚠️ Changes requested 0 resolved / 2 findings

Good fix for the SSRF regex false positive on fd/fc domains, but the fe80 link-local pattern has a regex bug that could allow unintended addresses through.

⚠️ Bug: fe80 link-local regex pattern is incorrect

📄 openmetadata-service/src/main/java/org/openmetadata/service/util/URLValidator.java:35

The regex pattern for matching fe80::/10 link-local IPv6 addresses is malformed. The pattern [80-9a-bA-B] is incorrect because:

1. In regex character classes, 80-9 means the character '8', the range '0' to '9', not '8' to '9'. This effectively matches [0-9] plus '8' redundantly.
2. This causes the pattern to incorrectly match addresses like fe00::, fe10::, etc., which are NOT in the link-local range.
3. Conversely, addresses like fe8f:: which ARE link-local would be matched, but due to incorrect logic.

The fe80::/10 range covers fe80:: through febf::, meaning:

• The third hex digit should be: 8, 9, a, or b
• The fourth hex digit can be: 0-f

Suggested fix:
Change [80-9a-bA-B] to [89aAbB] to correctly match only the third hex digit in the valid range:

Pattern.compile(
    "^(127\\.|10\\.|172\\.(1[6-9]|2[0-9]|3[0-1])\\.|192\\.168\\.|169\\.254\\.|\\[?::1\\]?|\\[?[fF][cCdD][0-9a-fA-F]{0,2}:|\\[?[fF][eE][89aAbB][0-9a-fA-F]:).*");

Alternatively, if you want to accept the entire /10 block exactly, you could simplify to just check for [fF][eE][89aAbB] (third char only) since the colon follows.

💡 Quality: Copyright year should be 2026, not 2024

📄 openmetadata-service/src/test/java/org/openmetadata/service/util/URLValidatorTest.java:5

The copyright year in the new test file is set to 2024, but the current date is January 2026. While this is a minor cosmetic issue, keeping copyright years current is good practice for legal compliance and codebase maintenance.

Suggested fix:
Change line 5 from:

 *  Copyright 2024 Collate.

to:

 *  Copyright 2026 Collate.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[gitar-bot]

⚠️ Bug: fe80 link-local regex pattern is incorrect

Details

The regex pattern for matching fe80::/10 link-local IPv6 addresses is malformed. The pattern [80-9a-bA-B] is incorrect because:

1. In regex character classes, 80-9 means the character '8', the range '0' to '9', not '8' to '9'. This effectively matches [0-9] plus '8' redundantly.
2. This causes the pattern to incorrectly match addresses like fe00::, fe10::, etc., which are NOT in the link-local range.
3. Conversely, addresses like fe8f:: which ARE link-local would be matched, but due to incorrect logic.

The fe80::/10 range covers fe80:: through febf::, meaning:

• The third hex digit should be: 8, 9, a, or b
• The fourth hex digit can be: 0-f

Suggested fix:
Change [80-9a-bA-B] to [89aAbB] to correctly match only the third hex digit in the valid range:

Pattern.compile(
    "^(127\\.|10\\.|172\\.(1[6-9]|2[0-9]|3[0-1])\\.|192\\.168\\.|169\\.254\\.|\\[?::1\\]?|\\[?[fF][cCdD][0-9a-fA-F]{0,2}:|\\[?[fF][eE][89aAbB][0-9a-fA-F]:).*");

Alternatively, if you want to accept the entire /10 block exactly, you could simplify to just check for [fF][eE][89aAbB] (third char only) since the colon follows.

---

Was this helpful? React with 👍 / 👎