feat: Add IPv4 CIDR and IPv6 CIDR validations #367
Conversation
|
Thank you for your contribution. I will review this PR in 1 or 2 weeks. Note to myself: Check this before merging. |
| */ | ||
| export const IPV6_CIDR_REGEX = | ||
| // eslint-disable-next-line redos-detector/no-unsafe-regex, regexp/no-super-linear-backtracking -- false positive | ||
| /^s*((([\dA-Fa-f]{1,4}:){7}([\dA-Fa-f]{1,4}|:))|(([\dA-Fa-f]{1,4}:){6}(:[\dA-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([\dA-Fa-f]{1,4}:){5}(((:[\dA-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([\dA-Fa-f]{1,4}:){4}(((:[\dA-Fa-f]{1,4}){1,3})|((:[\dA-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([\dA-Fa-f]{1,4}:){3}(((:[\dA-Fa-f]{1,4}){1,4})|((:[\dA-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([\dA-Fa-f]{1,4}:){2}(((:[\dA-Fa-f]{1,4}){1,5})|((:[\dA-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([\dA-Fa-f]{1,4}:)(((:[\dA-Fa-f]{1,4}){1,6})|((:[\dA-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[\dA-Fa-f]{1,4}){1,7})|((:[A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)*(\/(\d|[1-9]\d|1[01]\d|12[0-8]))$/u; |
There was a problem hiding this comment.
I don't fully understand why the s* is needed here. What does it do?
Additionally, are we sure that both redos and no-super-linear-backtracking are false positives?
- https://devina.io/redos-checker shows it vulnerable too
- https://makenowjust-labs.github.io/recheck/playground/ recheck also
I haven't had the time to try https://2bdenny.github.io/ReScue/ & https://github.com/doyensec/regexploit, but if one of them shows a vulnerability too, we have 3 online and at least one offline tool showing it's vulnerable, which tells us it's certainly vulnerable.
There was a problem hiding this comment.
Will look into the vulnerabilities further. I’m not sure I understood them correctly, thanks for pointing this out.
There was a problem hiding this comment.
@kurtextrem thanks for the review, i agree with you. We should not use Regex which doesn't pass those regex exploits checking tools.
fabian-hiller
force-pushed
the
main
branch
7 times, most recently
from
b997a0f
to
6d0cde4
Compare
Implements #342. Adds separate validations for both IPv4 and IPv6 CIDR notations.