Spring ServletServerHttpRequest.getRemoteAddress() may perform DNS lookup

The ServletServerHttpRequest#getRemoteAddress method may perform a DNS lookup in certain scenarios (and same goes for its reactive counterpart).

If the underlying jakarta.servlet.ServletRequest#getRemoteHost implementation does a DNS lookup (as it is allowed, but not required to do), then calling ServletServerHttpRequest#getRemoteAddress will also do a DNS lookup. ServletServerHttpRequest#getRemoteAddress is for example called by Spring's ForwardedHeaderFilter.

As the ServletServerHttpRequest#getRemoteAddress return type is InetSocketAddress it feels like doing DNS resolution is quite pointless in general.

I have been trying to extract a minimal reproducer but I'm having some trouble getting it reproduced in a minimal setting. It might involve WebSocket via JSR 356 using Atmosphere and Jetty as the servlet container.

Similar to #28280.

Comment From: slovdahl

Quoting https://github.com/spring-projects/spring-framework/issues/28280#issuecomment-1250860392

The AbstractStandardUpgradeStrategy still tries to get InetSocketAddresses during upgrade:

``` @Override public void upgrade(ServerHttpRequest request, ServerHttpResponse response, @Nullable String selectedProtocol, List selectedExtensions, @Nullable Principal user, WebSocketHandler wsHandler, Map attrs) throws HandshakeFailureException {

  HttpHeaders headers = request.getHeaders();
  InetSocketAddress localAddr = null;
  try {
      localAddr = request.getLocalAddress();
  }
  catch (Exception ex) {
      // Ignore
  }
  InetSocketAddress remoteAddr = null;
  try {
      remoteAddr = request.getRemoteAddress();
  }
  catch (Exception ex) {
      // Ignore
  }

and ServerHttpRequest uses constructor of InetSocketAddress, which performs DNS lookup: @Override public InetSocketAddress getLocalAddress() { return new InetSocketAddress(this.servletRequest.getLocalAddr(), this.servletRequest.getLocalPort()); }

@Override public InetSocketAddress getRemoteAddress() { return new InetSocketAddress(this.servletRequest.getRemoteHost(), this.servletRequest.getRemotePort()); } ``` (checked on spring 5.3.20 and java 17)