An attacker can put a DNS name into the X-Forwarded-For header and Ninja would do a DNS lookup of it.
The code responsible is in AbstractContext.getRemoteAddr:
// If ip4/6 address string handed over, simply does pattern validation.
InetAddress.getByName(forwardHeader);
So, contrary to the comment, getByName doesn't do a simple validation, but also does a DNS lookup if the provided value is not an IP address. This code is irrelevant and should be removed.
An attacker can put a DNS name into the X-Forwarded-For header and Ninja would do a DNS lookup of it.
The code responsible is in
AbstractContext.getRemoteAddr:So, contrary to the comment,
getByNamedoesn't do a simple validation, but also does a DNS lookup if the provided value is not an IP address. This code is irrelevant and should be removed.