CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use python lib to make cidr validation more strict

Browse Source 
Also update ipv4 validation to match the method used to validate cidr strings
This commit is contained in:
William Wernert
2021-11-10 16:53:01 -05:00
parent 446d6bd532
commit 569cb24861
2 changed files with 52 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
salt/common/tools/sbin/so-common
View File

@@ -390,20 +390,30 @@ has_uppercase() {
} }
valid_cidr() { valid_cidr() {
# Verify there is a backslash in the string local cidr=$1
echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1
local cidr
local ip
cidr=$(echo "$1" | sed 's/.*\///') read -r -d '' cidr_python <<- EOM
ip=$(echo "$1" | sed 's/\/.*//' ) import ipaddress
import sys
if valid_ip4 "$ip"; then
[[ $cidr =~ ([0-9]|[1-2][0-9]|3[0-2]) ]] && return 0 || return 1 def validate_cidr(cidr: str) -> bool:
else # We want the string to be a cidr block and not a single ip
return 1 if '/' not in cidr:
fi return False
try:
ipaddress.ip_network(cidr)
except ValueError:
return False
return True
if validate_cidr('$cidr'):
sys.exit(0)
else:
sys.exit(1)
EOM
python3 -c "$cidr_python"
return $?
} }
valid_cidr_list() { valid_cidr_list() {
@@ -447,7 +457,26 @@ valid_hostname() {
valid_ip4() { valid_ip4() {
local ip=$1 local ip=$1
echo "$ip" | grep -qP '^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$' && return 0 || return 1 local ip_python
read -r -d '' ip_python <<- EOM
import ipaddress
import sys
def validate_ip(ip: str) -> bool:
try:
ipaddress.ip_address(ip)
except ValueError:
return False
return True
if validate_ip('$ip'):
sys.exit(0)
else:
sys.exit(1)
EOM
python3 -c "$ip_python"
return $?
} }
valid_int() { valid_int() {

18
tests/validation.sh
View File

@@ -46,7 +46,7 @@ test_fun 1 valid_fqdn "rwwiv."
test_fun 1 valid_fqdn "" test_fun 1 valid_fqdn ""
sleep 0.15s sleep 0.15
header "ip4" header "ip4"
@@ -62,13 +62,13 @@ test_fun 1 valid_ip4 "192.168.1.1."
test_fun 1 valid_ip4 "" test_fun 1 valid_ip4 ""
sleep 0.15s sleep 0.15
header "CIDR (ipv4)" header "CIDR (ipv4)"
test_fun 0 valid_cidr "192.168.1.0/24" test_fun 0 valid_cidr "192.168.1.0/24"
test_fun 0 valid_cidr "192.168.1.0/12" test_fun 0 valid_cidr "192.160.0.0/12"
test_fun 1 valid_cidr "192.168.1.0" test_fun 1 valid_cidr "192.168.1.0"
@@ -78,7 +78,7 @@ test_fun 1 valid_ip4 "/24"
test_fun 1 valid_cidr "" test_fun 1 valid_cidr ""
sleep 0.15s sleep 0.15
header "CIDR list" header "CIDR list"
@@ -90,7 +90,7 @@ test_fun 1 valid_cidr_list "10.0.0.0/8,192.168.0.0/16172.16.0.0/12"
test_fun 1 valid_cidr_list "10.0.0.0" test_fun 1 valid_cidr_list "10.0.0.0"
sleep 0.15s sleep 0.15
header "DNS" header "DNS"
@@ -104,7 +104,7 @@ test_fun 1 valid_dns_list "8.8.8.,8.8.4.4"
test_fun 1 valid_dns_list "192.168.9." test_fun 1 valid_dns_list "192.168.9."
sleep 0.15s sleep 0.15
header "int (default min: 1, default max: 1000000000)" header "int (default min: 1, default max: 1000000000)"
@@ -130,7 +130,7 @@ test_fun 1 valid_int "not_a_num"
test_fun 1 valid_int "" test_fun 1 valid_int ""
sleep 0.15s sleep 0.15
header "hostname" header "hostname"
@@ -146,7 +146,7 @@ test_fun 1 valid_hostname "localhost"
test_fun 1 valid_hostname "" test_fun 1 valid_hostname ""
sleep 0.15s sleep 0.15
header "string (default min_length: 1, default max_length: 64)" header "string (default min_length: 1, default max_length: 64)"
@@ -168,7 +168,7 @@ test_fun 1 valid_string "too_long" "" "4"
test_fun 1 valid_string "" test_fun 1 valid_string ""
sleep 0.15s sleep 0.15
header "Linux user" header "Linux user"