search

seancfoley / IPAddress

Java library for handling IP addresses and subnets, both IPv4 and IPv6
https://seancfoley.github.io/IPAddress/
Apache License 2.0
469 stars 63 forks source link

isValid() method returns True for non-standard IP address notation #125

Closed gergomiklos-seon closed 6 months ago

gergomiklos-seon commented 6 months ago

Description

The isValid() method from the IPAddressString class is returning true for an IP address string that uses hyphens instead of dots as delimiters ("192-168.1-1"), which is not a standard notation for IP addresses. We found this issue during updating from 5.0.2 to 5.5.0.

Steps to Reproduce

  1. Add the ipaddress library to the project (version 5.5.0).
  2. Execute the isValid() method on an IPAddressString object with the IP address "192-168.1-1".
  3. Observe that the method returns true.

This behavior was observed using the following environment:

No additional configuration was made to the IPAddressString class or its validation settings.

Expected Behavior

As it did in version 5.0.2 of the library: the isValid() method should return false for any IP address that does not conform to the standard notation of four decimal octets separated by periods.

Is there a configuration within the library that allows enforcing the standard IP address notation? If so, could you provide guidance on how to configure the IPAddressString class to accept only correctly formatted IP addresses s was present in version 5.0.2?

Code Snippet

IPAddressString ipAddressString = new IPAddressString("192-168.1-1");
boolean result = ipAddressString.isValid();
System.out.println("Is IP address valid? " + result); // Prints: Is IP address valid? true
seancfoley commented 6 months ago

This is not a bug.

Read the javadoc for IPAddressString.

IPAddressString allows subnet formats, and one supported format is specifying ranges of values, such as 1.2.3.4-5 which is equivalent to the subnet 1.2.3.4/31.

IPAddressString allows formats corresponding to the utility inet_aton in which segments are combined.

IPAddressString allows combinations of the two. 192-168.1-1 is a subnet with 25 addresses in it.

IPAddressString allows IPv6 address like ff::

If you want to restrict IPAddressString to be less permissive, you have to tell it what you want to allow, with IPAddressStringParameters. You can build your parameters with the Builder. You should look at allow_inet_aton, allowIPv6, allowPrefix, setRangeOptions, and others. It sounds like you don't want IPv6 allowed, nor inet_aton, nor prefixes, nor ranges.

You can also do some checks after parsing, such as using isMultiple or isIPv6, or other methods.

See issue #24, issue #43, issue #94, issue #99, issue #109, the inet_aton wiki entry, and the docs for lots of examples.

seancfoley commented 6 months ago

BTW, none of this has changed since version 5.0.2, all of this works the same in 5.5.0 as 5.0.2.

seancfoley commented 6 months ago

Update: what changed between 5.0.2 and 5.5.0 is the support for downwards ranges. That was added in version 5.1.0, see "reverse ranges allowed in parsed strings".

If you try "168-192.1-1" with version 5.0.2 you will see it is considered valid.

I don't consider allowing "192-168" as equivalent to "168-192" to be a breaking change.