hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

fix potential DoS attac in IPv6 regex (#172)

Browse Source 
Co-authored-by: Michael Hoennig <michael@hoennig.de>
Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/172
Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
This commit is contained in:
Michael Hoennig
2025-04-10 12:32:07 +02:00
parent 0c32377d77
commit 77ace7d794
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/validators/HsIPv6NumberHostingAssetValidator.java
View File

@@ -11,8 +11,9 @@ import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.IPV6
class HsIPv6NumberHostingAssetValidator extends HostingAssetEntityValidator { class HsIPv6NumberHostingAssetValidator extends HostingAssetEntityValidator {
// simplified pattern, the real check is done by letting Java parse the address // Simple pattern to check only max length and valid characters (hex digits and colons).
private static final Pattern IPV6_REGEX = Pattern.compile("([a-f0-9:]+:+)+[a-f0-9]+"); // A robust validation is done via isValidIPv6Address.
private static final Pattern SIMPLE_IPV6_REGEX_PATTERN = Pattern.compile("^[0-9a-fA-F:]{1,39}$");
HsIPv6NumberHostingAssetValidator() { HsIPv6NumberHostingAssetValidator() {
super( super(
@@ -36,7 +37,7 @@ class HsIPv6NumberHostingAssetValidator extends HostingAssetEntityValidator {
@Override @Override
protected Pattern identifierPattern(final HsHostingAsset assetEntity) { protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
return IPV6_REGEX; return SIMPLE_IPV6_REGEX_PATTERN;
} }
private boolean isValidIPv6Address(final String identifier) { private boolean isValidIPv6Address(final String identifier) {