From ac761bb6e4bf2a225396ab3c9a1bce270d88635e Mon Sep 17 00:00:00 2001
From: Muhammad Abdul Rehman <artahir@computingfuturetech.com>
Date: Mon, 23 Mar 2026 23:22:23 +0500
Subject: [PATCH] Doc: Add SSRF security warnings to `InternetDomainName`

Syntactic validation in `InternetDomainName` is insufficient for SSRF
prevention, as domains like `169.254.169.254.nip.io` are syntactically
valid but resolve to sensitive internal IPs.

This commit adds a targeted security warning to `hasPublicSuffix()`,
`isUnderPublicSuffix()`, and `isValid()` to caution developers against
misusing these methods as SSRF guards and recommends post-resolution
IP checks instead.

RELNOTES=n/a
---
 .../google/common/net/InternetDomainName.java  | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/guava/src/com/google/common/net/InternetDomainName.java b/guava/src/com/google/common/net/InternetDomainName.java
index 56463438bf0e..ae9d3b4abe20 100644
--- a/guava/src/com/google/common/net/InternetDomainName.java
+++ b/guava/src/com/google/common/net/InternetDomainName.java
@@ -354,6 +354,12 @@ public boolean isPublicSuffix() {
    * <p>Note that this method is equivalent to {@link #hasRegistrySuffix()} because all registry
    * suffixes are public suffixes <i>and</i> all public suffixes have registry suffixes.
    *
+   * <p><b>Security note:</b> This method performs syntactic validation only and does not perform
+   * DNS resolution. A syntactically valid domain (e.g., {@code 169.254.169.254.nip.io}) may resolve
+   * to a private or link-local IP address via wildcard DNS services. Do not use this method as an
+   * SSRF prevention control. To block SSRF, combine domain validation with IP resolution checks
+   * against RFC-1918, RFC-5737, and RFC-3927 ranges after DNS resolution.
+   *
    * @since 6.0
    */
   public boolean hasPublicSuffix() {
@@ -380,6 +386,12 @@ public boolean hasPublicSuffix() {
    * the domain, though even that depends on individual browsers' implementations of cookie
    * controls. See <a href="http://www.ietf.org/rfc/rfc2109.txt">RFC 2109</a> for details.
    *
+   * <p><b>Security note:</b> This method performs syntactic validation only and does not perform
+   * DNS resolution. A syntactically valid domain (e.g., {@code 169.254.169.254.nip.io}) may resolve
+   * to a private or link-local IP address via wildcard DNS services. Do not use this method as an
+   * SSRF prevention control. To block SSRF, combine domain validation with IP resolution checks
+   * against RFC-1918, RFC-5737, and RFC-3927 ranges after DNS resolution.
+   *
    * @since 6.0
    */
   public boolean isUnderPublicSuffix() {
@@ -600,6 +612,12 @@ public InternetDomainName child(String leftParts) {
    * }
    * }
    *
+   * <p><b>Security note:</b> This method performs syntactic validation only and does not perform
+   * DNS resolution. A syntactically valid domain (e.g., {@code 169.254.169.254.nip.io}) may resolve
+   * to a private or link-local IP address via wildcard DNS services. Do not use this method as an
+   * SSRF prevention control. To block SSRF, combine domain validation with IP resolution checks
+   * against RFC-1918, RFC-5737, and RFC-3927 ranges after DNS resolution.
+   *
    * @since 8.0 (previously named {@code isValidLenient})
    */
   public static boolean isValid(String name) {