-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net.isIP fails to detect different formats #40966
Comments
I've never seen an instance where any of the formats in those examples would have been intentional (unless for perhaps malicious reasons). |
The usage may be for malicious reasons. Correctly parsing the ips' could be for anti-malicious reasons. |
Doesn't this return 0, which is false, because these formats are not correct in terms of IP? |
They are correct. Theck out the inet_aton that knows how to parse them: Python 2.7.16 (default, Sep 6 2021, 07:39:44)
|
Ref: https://datatracker.ietf.org/doc/html/draft-main-ipaddr-text-rep-02#section-3.1 TL;DR: We (probably) should not permit leading zeroes. |
And honestly, I strongly suspect the same rationale applies to the rest of those formats. Supporting them probably does more harm than good. |
Related: #38860 |
Indeed, supporting such formats by the Browser, ping from Microsoft, curl and others might do more harm than good, since it's a good way of obfuscating malicious URLs and bypass security solutions. But on the other side, there are the good guys that are trying to detect such behaviour. For that, we need a way of converting such browser-supported non-standard notation to decimal-point-notation. As @richardlau remarqued above, i am not the only person requesting this feature. There are libraries doing just that (ipaddr.js for example), but i was surprised that the net nodejs module is not. |
I do think we should update the documentation at least to call out that we're not verifying all IP address formats, just the common/conventional one. |
Closes: nodejs#40966 PR-URL: nodejs#41028 Fixes: nodejs#40966 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net>
Version
v16.13.0
Platform
Darwin xxx.local 20.6.0 Darwin Kernel Version 20.6.0: Tue Oct 12 18:33:38 PDT 2021; root:xnu-7195.141.8~1/RELEASE_ARM64_T8101 arm64
Subsystem
net
What steps will reproduce the bug?
How often does it reproduce? Is there a required condition?
Always
What is the expected behavior?
4
What do you see instead?
0
Additional information
I was looking for a way of checking if a hostname in an URL is an IP (v4 or V6) and found the "net" nodejs module. But it is unable to detect different formats. Open a browser and put any of the strings in the description, with a http:// in front, and see that it is correctly converted to the canonical form.
Also would be great if you could add the conversion to canonical form for both ipv4 and ipv6 (https://datatracker.ietf.org/doc/html/rfc5952#section-4)
The text was updated successfully, but these errors were encountered: