[Bug]: RemoteRefBlockList fails to block mixed/upper-case HTTPS schemes (e.g., Https://) in swagger-parser 2.1.34

[piyushsomani25]

When using the Swagger Parser (swagger-parser version 2.1.34) with

parseOptions.setRemoteRefBlockList(Collections.singletonList("*"));

the parser should block all remote $ref URLs — including any that start with http or https.

However, URLs with mixed or upper-case schemes such as Https:// are still fetched, even though "*" is configured in the block list.

Reproduction Details

Code:

ParseOptions parseOptions = new ParseOptions();
parseOptions.setResolve(true);
parseOptions.setSafelyResolveURL(true);
parseOptions.setRemoteRefBlockList(Collections.singletonList("*"));

OpenAPI snippet:

components:
  schemas:
    TestSchema:
      $ref: "Https://webhook.site/228856c6-ea7a-4a6c-9582-99bf279fd669"

Observed Behavior:
URL Scheme Behavior
https:// ✅ Blocked (expected)
Https:// ❌ Fetched (unexpected)
HTTPS:// ❌ Fetched (unexpected)
hTTps:// ❌ Fetched (unexpected)
HtTpS:// ❌ Fetched (unexpected)

So the block list fails when the scheme has any uppercase letter.

Root Cause:

In the parser’s resolver logic, the following check is used:

File:
swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/Visitor.java

    default String readURI(String absoluteUri, List<AuthorizationValue> auths) throws Exception {
        URI resolved = new URI(absoluteUri);
        if (StringUtils.isNotBlank(resolved.getScheme())) {
            if (resolved.getScheme().startsWith("http")) {
                return readHttp(absoluteUri, auths);
            }
        }
        return null;
  }

This check is case-sensitive.
If the $ref scheme is Https, it doesn’t match "http", and the parser proceeds to call readHttp() unblocked.

Expected Behavior:

All http and https variants — regardless of case — should be normalized and correctly blocked when specified in remoteRefBlockList.

Suggested Fix:

Convert the URI scheme to lowercase before comparison:

    default String readURI(String absoluteUri, List<AuthorizationValue> auths) throws Exception {
        URI resolved = new URI(absoluteUri);
        if (StringUtils.isNotBlank(resolved.getScheme())) {
         if (resolved.getScheme().toLowerCase(Locale.ROOT).startsWith("http")) {
             return readHttp(absoluteUri, auths);
        }
        return null;
    }
}

[rootxjs]

@daniel-kmiecik @djankows This is a security issue where BlockList control is not working as expected. Please review and address this.
Additionally, it would be helpful to provide an option to block all external HTTP/HTTPS calls while allowing only local references within the document.

[daniel-kmiecik]

@rootxjs you may have overlooked something. In the current version - 2.1.34 - there is no method as you mentioned. There is a similar method with a different list of arguments.
Please refer to the current implementation https://github.com/swagger-api/swagger-parser/blob/master/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/reference/Visitor.java
Anyway, thank you for the find. Good catch!
I prepared a PR here
Fix should be released next week.

[piyushsomani25]

Hey @daniel-kmiecik when will the new version supporting these changes be available?

[daniel-kmiecik]

@piyushsomani25 new version has been released