[Rt-commit] rtir branch, 4.0/stricter-ipv6-regex, created. 4.0.1rc1-46-gd0a664a5

? sunnavy sunnavy at bestpractical.com
Mon Mar 19 16:55:42 EDT 2018


The branch, 4.0/stricter-ipv6-regex has been created
        at  d0a664a5e6a2f7df292bba61bc870964d09c7da7 (commit)

- Log -----------------------------------------------------------------
commit 8271de80be79e7cb63f959cf388771313305a5fa
Author: craig Kaiser <craig at bestpractical.com>
Date:   Wed Mar 7 12:15:23 2018 -0500

    Test ticket content with invalid ipv6 value
    
    When a ticket is created with content that contains a substring of a
    valid ipv6 id, it can register as a false positive for the ip.

diff --git a/t/custom-fields/ipv6.t b/t/custom-fields/ipv6.t
index afd3b4c1..68a18bd0 100644
--- a/t/custom-fields/ipv6.t
+++ b/t/custom-fields/ipv6.t
@@ -576,5 +576,29 @@ diag "merge ticket with the same IP";
     is( $has[0], '::ac10:1', "has value" );
 }
 
+diag "create a ticket via web with invalid IPv6 address" if $ENV{'TEST_VERBOSE'};
+{
+    my $content = 'Scan::Address_Scan';
+
+    my $incident_id;
+    foreach my $queue( 'Incidents', 'Incident Reports', 'Investigations', 'Countermeasures' ) {
+        diag "create a ticket in the '$queue' queue" if $ENV{'TEST_VERBOSE'};
+
+        my $id = $agent->create_rtir_ticket_ok(
+            $queue,
+            {
+                Subject => "test invalid IPv6 in message",
+                ($queue eq 'Countermeasures'? (Incident => $incident_id): ()),
+                Content => "$content",
+            },
+        );
+        $incident_id = $id if $queue eq 'Incidents';
+
+        my $ticket = RT::Ticket->new( $RT::SystemUser );
+        $ticket->Load( $id );
+        ok( $ticket->id, 'loaded ticket' );
+        is( $ticket->FirstCustomFieldValue('IP'), undef, 'correct value' );
+    }
+}
 undef $agent;
 done_testing();

commit a05d3a26dcf6635e05261c37389e5b4badb71415
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue Mar 20 04:05:51 2018 +0800

    Stricter IPv6 regex by adding more limitations to the surroundings.
    
    We want a clear break between IPv6 and its surroundings to not extract
    "::Add" from "Scan::Address_Scan". Because as a valid IPv6 itself,
    "::Add" is definitely not meant to be one in that string.
    
    So the general rule is: surroundings shouldn't contain common characters
    valid to IPv6(i.e. "[0-9a-fA-F:.]"), and there should be a word break,
    thus the not allowed characters become "[0-9a-zA-Z:.]".
    
    An exception is trailing dot, which is commonly used as the end of a
    sentence. Like how we handle it in IPv4 regex, it's allowed as long as
    it's not directly followed by suspicious "[0-9a-zA-Z:]".

diff --git a/html/Callbacks/RTIR/Elements/MakeClicky/Default b/html/Callbacks/RTIR/Elements/MakeClicky/Default
index e24b24a5..45e1f0a2 100644
--- a/html/Callbacks/RTIR/Elements/MakeClicky/Default
+++ b/html/Callbacks/RTIR/Elements/MakeClicky/Default
@@ -204,7 +204,7 @@ use Regexp::IPv6 qw($IPv6_re);
 my @types = (
     {
         name   => "ip",
-        regex  => qr[(?<!\d)$RE{'net'}{'IPv4'}(?!\d)|(?<![0-9a-fA-F:])$IPv6_re(?![0-9a-fA-F:])]o,
+        regex  => qr[(?<!\d)$RE{'net'}{'IPv4'}(?!\d)|(?<![0-9a-zA-Z:.])$IPv6_re(?!\.?[0-9a-zA-Z:])]o,
         action => "ip",
     },
     {
diff --git a/lib/RT/Action/RTIR_FindIP.pm b/lib/RT/Action/RTIR_FindIP.pm
index 2044bff8..bc35db1e 100644
--- a/lib/RT/Action/RTIR_FindIP.pm
+++ b/lib/RT/Action/RTIR_FindIP.pm
@@ -73,8 +73,8 @@ my $IPv4_re = qr[
 ]x;
 
 my $IPv6_mask_re = qr{12[0-8]|1[01][0-9]|[1-9]?[0-9]};
-my $IPv6_prefix_check_re = qr{(?<![0-9a-fA-F:.])};
-my $IPv6_sufix_check_re = qr{(?!(?:\:{0,2}|\.)[0-9a-fA-F])};
+my $IPv6_prefix_check_re = qr{(?<![0-9a-zA-Z:.])};
+my $IPv6_sufix_check_re = qr{(?!\.?[0-9a-zA-Z:])};
 my $IPv6_re = qr[
     $IPv6_prefix_check_re
     ($Regexp::IPv6::IPv6_re)

commit 9a58d602293190b761fa0fd71c3fe72e16579d9c
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue Mar 20 04:47:20 2018 +0800

    More IPv6 tests

diff --git a/t/custom-fields/ipv6.t b/t/custom-fields/ipv6.t
index 68a18bd0..7d789236 100644
--- a/t/custom-fields/ipv6.t
+++ b/t/custom-fields/ipv6.t
@@ -24,6 +24,10 @@ my %test_set = (
     'abcd:' x 7 . 'abcd' => 'abcd:' x 7 . 'abcd',
     'abcd::034'          => 'abcd:' . '0000:' x 6 . '0034',
     '::192.168.1.1'      => '0000:' x 6 . 'c0a8:0101',
+
+    # A trailing dot is allowed since it's commonly used as end of sentence,
+    'abcd::034.'         => 'abcd::34',
+    'abcd::192.168.1.1.' => 'abcd::c0a8:101',
 );
 my %test_cidr = (
     'abcd:' x 7 . 'abcd/32' => 'abcd:abcd'. ':0000' x 6 .'-'. 'abcd:abcd'. ':ffff' x 6,
@@ -44,6 +48,9 @@ my %abbrev_of = (
 
     '0000:'x6 .'ac10:0001' => '::ac10:1',
     '0000:'x6 .'ac10:0002' => '::ac10:2',
+
+    'abcd::034.'         => 'abcd::34',
+    'abcd::192.168.1.1.' => 'abcd::c0a8:101',
 );
 
 my $cf;
@@ -576,9 +583,19 @@ diag "merge ticket with the same IP";
     is( $has[0], '::ac10:1', "has value" );
 }
 
-diag "create a ticket via web with invalid IPv6 address" if $ENV{'TEST_VERBOSE'};
-{
-    my $content = 'Scan::Address_Scan';
+diag "create a ticket via web with invalid IPv6 addresses" if $ENV{'TEST_VERBOSE'};
+
+my @invalid = (
+    'Scan::Address_Scan', 'scan::add', 'z::a',  'a::z',
+    '::z',                'Foo::Bar',  'Foo::', '::Bar',
+    'RT::',               'RT::IR',
+
+    # A trailing dot is allowed but not if there are words right after it
+    'abcd::34.3', 'abcd::192.168.1.2.3', '::add.z',
+);
+
+
+for my $content ( @invalid ) {
 
     my $incident_id;
     foreach my $queue( 'Incidents', 'Incident Reports', 'Investigations', 'Countermeasures' ) {

commit d0a664a5e6a2f7df292bba61bc870964d09c7da7
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue Mar 20 04:53:49 2018 +0800

    Fix spelling of "suffix"

diff --git a/lib/RT/Action/RTIR_FindIP.pm b/lib/RT/Action/RTIR_FindIP.pm
index bc35db1e..00b06178 100644
--- a/lib/RT/Action/RTIR_FindIP.pm
+++ b/lib/RT/Action/RTIR_FindIP.pm
@@ -58,28 +58,28 @@ use Net::CIDR ();
 
 my $IPv4_mask_re = qr{3[0-2]|[1-2]?[0-9]};
 my $IPv4_prefix_check_re = qr{(?<![0-9.])};
-my $IPv4_sufix_check_re = qr{(?!\.?[0-9])};
+my $IPv4_suffix_check_re = qr{(?!\.?[0-9])};
 my $IPv4_CIDR_re = qr{
     $IPv4_prefix_check_re
     $RE{net}{CIDR}{IPv4}{-keep}
-    $IPv4_sufix_check_re
+    $IPv4_suffix_check_re
 }x;
 my $IPv4_re = qr[
     $IPv4_prefix_check_re
     (?!0\.0\.0\.0)
     ($RE{net}{IPv4})
     (?!/$IPv4_mask_re)
-    $IPv4_sufix_check_re
+    $IPv4_suffix_check_re
 ]x;
 
 my $IPv6_mask_re = qr{12[0-8]|1[01][0-9]|[1-9]?[0-9]};
 my $IPv6_prefix_check_re = qr{(?<![0-9a-zA-Z:.])};
-my $IPv6_sufix_check_re = qr{(?!\.?[0-9a-zA-Z:])};
+my $IPv6_suffix_check_re = qr{(?!\.?[0-9a-zA-Z:])};
 my $IPv6_re = qr[
     $IPv6_prefix_check_re
     ($Regexp::IPv6::IPv6_re)
     (?:/($IPv6_mask_re))?
-    $IPv6_sufix_check_re
+    $IPv6_suffix_check_re
 ]x;
 
 my $IP_re = qr{$IPv6_re|$IPv4_re|$IPv4_CIDR_re};

-----------------------------------------------------------------------


More information about the rt-commit mailing list