reject ipv4 strings with an octet with a leading zero

karenetheridge · karenetheridge · commit 7ca5f36d92de · 2021-03-29T16:07:48.000-07:00
Ensuring implementations reject these values will help guard against this security vulnerability. see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/
diff --git a/tests/draft2019-09/optional/format/ipv4.json b/tests/draft2019-09/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }
diff --git a/tests/draft2020-12/optional/format/ipv4.json b/tests/draft2020-12/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }
diff --git a/tests/draft4/optional/format/ipv4.json b/tests/draft4/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }
diff --git a/tests/draft6/optional/format/ipv4.json b/tests/draft6/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }
diff --git a/tests/draft7/optional/format/ipv4.json b/tests/draft7/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,17 @@`
`32`	`32`	`"description": "an IP address as an integer (decimal)",`
`33`	`33`	`"data": "2130706433",`
`34`	`34`	`"valid": false`
	`35`	`+ },`
	`36`	`+ {`
	`37`	`+ "description": "leading zeroes should be rejected, as they are treated as octals",`
	`38`	`+ "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",`
	`39`	`+ "data": "087.10.0.1",`
	`40`	`+ "valid": false`
	`41`	`+ },`
	`42`	`+ {`
	`43`	`+ "description": "value without leading zero is valid",`
	`44`	`+ "data": "87.10.0.1",`
	`45`	`+ "valid": true`
`35`	`46`	`}`
`36`	`47`	`]`
`37`	`48`	`}`