Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IpAddressMatcher.matches(String address) still accepts URLs #15172

Closed
hkamp-dev opened this issue May 27, 2024 · 2 comments
Closed

IpAddressMatcher.matches(String address) still accepts URLs #15172

hkamp-dev opened this issue May 27, 2024 · 2 comments
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
6.3.1

Comments

@hkamp-dev
Copy link

Describe the bug
Following the update to spring security 6.3.0 we were facing issues with the IpAddressMatcher in our validation steps due to the assertStartsWithHexa() method.

Before changing our implementation, we relied on the InetAddress resolution in parseAddress(..) in the same class.

The InetAddress resolution still happens if a host name is supplied instead of an IP address when it starts with a hex character. Relates to: c1adeef and #13621

To Reproduce
Use the matches() method with a host name that starts with a character valid in the hex system.

Expected behavior
IP Address format is enforced ?

Sample

[...]
var mask = List.of("0.0.0.0/8");
var matcher = new IpAddressMatcher(mask);
matcher.matches("example.org"); //does not throw an error
[...]
@hkamp-dev hkamp-dev added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 27, 2024
@jzheaux jzheaux self-assigned this May 28, 2024
@jzheaux jzheaux added this to the 6.3.1 milestone May 30, 2024
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels May 30, 2024
@jzheaux
Copy link
Contributor

jzheaux commented May 30, 2024

Thanks, @hkamp-dev, this is now fixed and will go out in the next milestone release. Will you please see if the 6.3.1-SNAPSHOT works for you?

@hkamp-dev
Copy link
Author

Hi @jzheaux, thanks for taking a look and fixing it. Works great for me! Cheers!

@jzheaux jzheaux moved this to Done in Spring Security Team Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
Spring Security Team
Status: Done
Milestone
6.3.1
Development

No branches or pull requests
2 participants
@jzheaux @hkamp-dev