From 77ace7d79465346f1b3eb93646bd982b332db4d4 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Thu, 10 Apr 2025 12:32:07 +0200 Subject: [PATCH] fix potential DoS attac in IPv6 regex (#172) Co-authored-by: Michael Hoennig Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/172 Reviewed-by: Marc Sandlus --- .../validators/HsIPv6NumberHostingAssetValidator.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsIPv6NumberHostingAssetValidator.java b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsIPv6NumberHostingAssetValidator.java index d7a7c42d..11fdbd18 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsIPv6NumberHostingAssetValidator.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsIPv6NumberHostingAssetValidator.java @@ -11,8 +11,9 @@ import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.IPV6 class HsIPv6NumberHostingAssetValidator extends HostingAssetEntityValidator { - // simplified pattern, the real check is done by letting Java parse the address - private static final Pattern IPV6_REGEX = Pattern.compile("([a-f0-9:]+:+)+[a-f0-9]+"); + // Simple pattern to check only max length and valid characters (hex digits and colons). + // A robust validation is done via isValidIPv6Address. + private static final Pattern SIMPLE_IPV6_REGEX_PATTERN = Pattern.compile("^[0-9a-fA-F:]{1,39}$"); HsIPv6NumberHostingAssetValidator() { super( @@ -36,7 +37,7 @@ class HsIPv6NumberHostingAssetValidator extends HostingAssetEntityValidator { @Override protected Pattern identifierPattern(final HsHostingAsset assetEntity) { - return IPV6_REGEX; + return SIMPLE_IPV6_REGEX_PATTERN; } private boolean isValidIPv6Address(final String identifier) {