Merge pull request #6201 from Security-Onion-Solutions/fix/cidr-ip-validation

Improve cidr validation in setup and match ip validation to similar method
2025-12-10 19:22:54 +01:00 · 2021-11-12 13:34:19 -05:00
parent 8d185ced61 ed3b2e4569
commit ba621639bd
3 changed files with 53 additions and 24 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -390,20 +390,30 @@ has_uppercase() {
 }

 valid_cidr() {
-	# Verify there is a backslash in the string
-	echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1
-	
-	local cidr
-	local ip
+	local cidr=$1

-	cidr=$(echo "$1" | sed 's/.*\///')
-	ip=$(echo "$1" | sed 's/\/.*//' )
-	
-	if valid_ip4 "$ip"; then
-		[[ $cidr =~ ([0-9]|[1-2][0-9]|3[0-2]) ]] && return 0 || return 1
-	else
-		return 1
-	fi
+	read -r -d '' cidr_python <<- EOM
+	import ipaddress
+	import sys
+
+	def validate_cidr(cidr: str) -> bool:
+	  # We want the string to be a cidr block and not a single ip
+	  if '/' not in cidr:
+	  	return False
+	  try:
+	    ipaddress.ip_network(cidr)
+	  except ValueError:
+	    return False
+	  return True
+
+	if validate_cidr('$cidr'):
+	  sys.exit(0)
+	else:
+	  sys.exit(1)
+	EOM
+
+	python3 -c "$cidr_python"
+	return $?
 }

 valid_cidr_list() {
@@ -447,7 +457,26 @@ valid_hostname() {
 valid_ip4() {
 	local ip=$1

-	echo "$ip" | grep -qP '^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$' && return 0 || return 1
+	local ip_python
+	read -r -d '' ip_python <<- EOM
+	import ipaddress
+	import sys
+
+	def validate_ip(ip: str) -> bool:
+	  try:
+	    ipaddress.ip_address(ip)
+	  except ValueError:
+	    return False
+	  return True
+
+	if validate_ip('$ip'):
+	  sys.exit(0)
+	else:
+	  sys.exit(1)
+	EOM
+
+	python3 -c "$ip_python"
+	return $?
 }

 valid_int() {