[JENKINS-62261] RepositoryBrowser: Use UrlValidator.ALLOW_LOCAL_URLS

[sratz]

JENKINS-62261 - Allow local URLs in repo browsers

Relax URL validation in repository browser such that *.corp domains and local hostnames are not dismissed as invalid.

Checklist

• I have read the CONTRIBUTING doc
• I have referenced the Jira issue related to my changes in one or more commit messages
• I have added tests that verify my changes
• Unit tests pass locally with my changes
• I have added documentation as necessary
• No Javadoc warnings were introduced with my changes
• No spotbugs warnings were introduced with my changes
• I have interactively tested my changes
• Any dependent changes have been merged and published in upstream modules (like git-client-plugin)

Types of changes

• Bug fix (non-breaking change which fixes an issue)

[MarkEWaite]

I agree that the validator should accept local URLs as valid, especially with the 2018 decision by ICANN to reserve .home, .corp, and .mail as unavailable for use on the public internet.

[MarkEWaite]

Failing tests will need to be fixed before this can be merged.

[MarkEWaite]

I expect that most users running a localhost repository server are not using SSL to encrypt the localhost traffic. If we're acting like this is a valid use case that should not generate a warning message, then let's accept http instead of https.

Suggested change

	String url = "https://localhost/space/git-plugin/git/source";
	String url = "http://localhost/space/git-plugin/git/source";

I think this is not a valid use case because Jenkins itself will display a warning to the user if they set the Jenkins URL to be localhost. The user is still allowed to ignore the error text and apply the change. However, I'm open to allowing this case if the UrlValidator allows it. As far as I can tell from the automated test, the UrlValidator does not allow it.

[MarkEWaite]

@sratz I took the concepts you were using and extended them further in the AssemblaWeb checks. I've pushed them to this branch so that you can see them and comment.

It will be a while before I can spend the time to make the same changes in the main implementation. Let me know what you think of the compromises and changes that I've made. I'm intentionally using the Java URL class constructor to detect certain classes of issues, then specifically skipping the Apache UrlValidator() call if the hostname contains one of the known local network suffixes.

It would have been much nicer if UrlValidator() recognized those hostname suffixes as local hostnames, but I believe that decision came after the version of UrlValidator was released.

[sratz]

The changes look good.

I noticed that there is an additional API we could potentially use to solve this:
https://github.com/apache/commons-validator/blob/2cbd174c3d372d27cf09a5b13d99aeae19783267/src/main/java/org/apache/commons/validator/routines/DomainValidator.java#L1952

DomainValidator.updateTLDOverride(DomainValidator.ArrayType.GENERIC_PLUS,
        new String[] { "corp", ".home", ".local", ".localnet" });

However, this is a static method and can only be called before anyone calls DomainValidator.getInstance(). Not sure if this is a feasible option in a modular environment such as Jenkins :/

[MarkEWaite]

See #940 for alternatives in the new release of Apache commons validator.

[rishabhBudhouliya]

@sratz @MarkEWaite I have used the DomainValidator API to solve this problem, please have a look at #967

[sratz]

Thanks a lot @rishabhBudhouliya!