From d023b2b2ff412cdd86ee911b53642631626c9985 Mon Sep 17 00:00:00 2001
From: Christian Galsterer <christian.galsterer@gmx.de>
Date: Mon, 25 Jan 2016 20:30:37 +0100
Subject: [PATCH 1/2] [i444] Support nonProxyHosts parameter in settings.xml

---
 .../maven/BaseDependencyCheckMojo.java        |  1 +
 .../owasp/dependencycheck/utils/Settings.java |  4 ++++
 .../utils/URLConnectionFactory.java           | 22 ++++++++++++++++++-
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index b2c005199..c6ff64a13 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -667,6 +667,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
             final String password = proxy.getPassword();
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
+            Settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts());
         }
 
         Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
index 2cabc9b87..1ef117eb8 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -165,6 +165,10 @@ public final class Settings {
          * The properties key for the proxy password.
          */
         public static final String PROXY_PASSWORD = "proxy.password";
+        /**
+         * The properties key for the non proxy hosts.
+         */
+        public static final String PROXY_NON_PROXY_HOSTS = "proxy.nonproxyhosts";
         /**
          * The properties key for the connection timeout.
          */
diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
index c11e3ecf9..b949d07ec 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
@@ -53,13 +53,15 @@ public final class URLConnectionFactory {
     public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
         HttpURLConnection conn = null;
         final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
+
         try {
-            if (proxyUrl != null) {
+            if (proxyUrl != null && !skipProxy(url)) {
                 final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
                 final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
 
                 final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
                 final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
+
                 if (username != null && password != null) {
                     final Authenticator auth = new Authenticator() {
                         @Override
@@ -94,6 +96,24 @@ public final class URLConnectionFactory {
         return conn;
     }
 
+    /**
+     * Checks of for the given URL the proxy shall be used or not checking the nonProxyHosts configuration.
+     * @param url The URL to check.
+     * @return If the proxy shall be skip for the given URL or not.
+     */
+    private static boolean skipProxy(URL url) {
+        boolean skip = false;
+        final String nonProxySettings = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
+        String[] nonProxyHosts = nonProxySettings.split(",");
+        for (int i = 0; i < nonProxyHosts.length; i++) {
+            if (url.getHost().matches(nonProxyHosts[i])) {
+                skip = true;
+                break;
+            }
+        }
+        return skip;
+    }
+
     /**
      * Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a proxy is
      * configured but we don't want to use it (for example, if there's an internal repository configured)

From 509149956328a00cb64b1e9d2ee563f32c1fd0be Mon Sep 17 00:00:00 2001
From: Christian Galsterer <christian.galsterer@gmx.de>
Date: Mon, 8 Feb 2016 18:52:14 +0100
Subject: [PATCH 2/2] [i444] Support nonProxyHosts parameter in settings.xml

---
 dependency-check-utils/pom.xml                |  4 ++
 .../utils/URLConnectionFactory.java           | 52 ++++++++++++++-----
 2 files changed, 43 insertions(+), 13 deletions(-)

diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml
index 9e32c0fec..c67e3e7fe 100644
--- a/dependency-check-utils/pom.xml
+++ b/dependency-check-utils/pom.xml
@@ -139,6 +139,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
index b949d07ec..10da9464b 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
@@ -18,6 +18,8 @@
 package org.owasp.dependencycheck.utils;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.apache.commons.lang3.StringUtils;
+
 import java.io.IOException;
 import java.net.Authenticator;
 import java.net.HttpURLConnection;
@@ -55,7 +57,7 @@ public final class URLConnectionFactory {
         final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
 
         try {
-            if (proxyUrl != null && !skipProxy(url)) {
+            if (proxyUrl != null && !matchNonProxy(url)) {
                 final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
                 final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
 
@@ -97,23 +99,47 @@ public final class URLConnectionFactory {
     }
 
     /**
-     * Checks of for the given URL the proxy shall be used or not checking the nonProxyHosts configuration.
-     * @param url The URL to check.
-     * @return If the proxy shall be skip for the given URL or not.
+     * Check if hostname matches nonProxy settings
+     *
+     * @param url the url to connect to
+     * @return matching result. true: match nonProxy
      */
-    private static boolean skipProxy(URL url) {
-        boolean skip = false;
-        final String nonProxySettings = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
-        String[] nonProxyHosts = nonProxySettings.split(",");
-        for (int i = 0; i < nonProxyHosts.length; i++) {
-            if (url.getHost().matches(nonProxyHosts[i])) {
-                skip = true;
-                break;
+    private static boolean matchNonProxy(final URL url) {
+        String host = url.getHost();
+
+        // code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
+        final String nonProxyHosts = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
+        if (null != nonProxyHosts) {
+            final String[] nonProxies = nonProxyHosts.split( "(,)|(;)|(\\|)" );
+            for (final String nonProxyHost : nonProxies) {
+                //if ( StringUtils.contains( nonProxyHost, "*" ) )
+                if (null != nonProxyHost && nonProxyHost.contains("*")) {
+                    // Handle wildcard at the end, beginning or middle of the nonProxyHost
+                    final int pos = nonProxyHost.indexOf('*');
+                    String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
+                    String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
+                    // prefix*
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isEmpty(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // *suffix
+                    if (StringUtils.isEmpty(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // prefix*suffix
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                }
+                else if (host.equals(nonProxyHost)) {
+                    return true;
+                }
             }
         }
-        return skip;
+        return false;
     }
 
+
     /**
      * Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a proxy is
      * configured but we don't want to use it (for example, if there's an internal repository configured)