Throws exception when passed IP address with too long mask

Fixes gh-2790
2019-07-04 15:46:24 -07:00 · 2019-07-04 15:46:24 -07:00 · ab6440db10
parent d5e5ac0503
commit ab6440db10
2 changed files with 26 additions and 2 deletions
--- a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -22,6 +22,7 @@ import javax.servlet.http.HttpServletRequest;

 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.StringUtils;
+import org.springframework.util.Assert;

 /**
 * Matches a request based on IP Address or subnet mask matching against the remote
@ -55,6 +56,9 @@ public final class IpAddressMatcher implements RequestMatcher {
 			nMaskBits = -1;
 		}
 		requiredAddress = parseAddress(ipAddress);
+		Assert.isTrue(requiredAddress.getAddress().length * 8 >= nMaskBits,
+				String.format("IP address %s is too short for bitmask of length %d",
+						ipAddress, nMaskBits));
 	}

 	public boolean matches(HttpServletRequest request) {
--- a/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java
+++ b/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -84,4 +84,24 @@ public class IpAddressMatcherTests {
 		assertThat(matcher.matches("123.4.5.6")).isTrue();
 		assertThat(matcher.matches("192.168.0.159")).isTrue();
 	}
+
+	// SEC-2576
+	@Test
+	public void ipv4RequiredAddressMaskTooLongThenIllegalArgumentException() {
+		String ipv4AddressWithTooLongMask = "192.168.1.104/33";
+		assertThatCode(() -> new IpAddressMatcher(ipv4AddressWithTooLongMask))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessage(String.format("IP address %s is too short for bitmask of " +
+						"length %d", "192.168.1.104", 33));
+	}
+
+	// SEC-2576
+	@Test
+	public void ipv6RequiredAddressMaskTooLongThenIllegalArgumentException() {
+		String ipv6AddressWithTooLongMask = "fe80::21f:5bff:fe33:bd68/129";
+		assertThatCode(() -> new IpAddressMatcher(ipv6AddressWithTooLongMask))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessage(String.format("IP address %s is too short for bitmask of " +
+						"length %d", "fe80::21f:5bff:fe33:bd68", 129));
+	}
 }