Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-23 10:48:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make Stricter IP Format Check

Browse Source 
Closes gh-17499

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
This commit is contained in:
Andrey Litvitski 2025-07-09 14:28:52 +03:00 committed by Josh Cummings
parent 1af665d6c8
commit 2fbe8dd8f6
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
View File

@ -35,11 +35,12 @@ import org.springframework.util.StringUtils;
*
* @author Luke Taylor
* @author Steve Riesenberg
* @author Andrey Litvitski
* @since 3.0.2
*/
public final class IpAddressMatcher implements RequestMatcher {
private static Pattern IPV4 = Pattern.compile("\\d{0,3}.\\d{0,3}.\\d{0,3}.\\d{0,3}(/\\d{0,3})?");
private static Pattern IPV4 = Pattern.compile("^\\d{1,3}(?:\\.\\d{1,3}){0,3}(?:/\\d{1,2})?$");
private final InetAddress requiredAddress;

9
web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java
View File

@ -27,6 +27,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
/**
* @author Luke Taylor
* @author Andrey Litvitski
*/
public class IpAddressMatcherTests {
@ -167,4 +168,12 @@ public class IpAddressMatcherTests {
assertThat(matcher.toString()).hasToString("IpAddress [127.0.0.1]");
}
// gh-17499
@Test
public void constructorRejectsInvalidIpv4WithX() {
String badIp = "10x1x1x1";
assertThatIllegalArgumentException().isThrownBy(() -> new IpAddressMatcher(badIp))
.withMessage("ipAddress 10x1x1x1 doesn't look like an IP Address. Is it a host name?");
}
}