fluent
fix: properly handle IPv6 addresses in HTTP Host headers
This commit fixes IPv6 address handling in HTTP client Host headers by adding bracket notation when required and improving URL parsing validation.
Changes:
- Add automatic bracket wrapping for unbracketed IPv6 addresses in Host headers for both standard and non-standard ports
- Add IPv6 bracketing for HTTPS default port (443) to ensure RFC compliance even when port is omitted (e.g., Host: [::1])
- Fix off-by-one error in IPv6 bracket stripping (was removing one extra character)
- Fix incorrect length calculation in flb_utils_copy_host_sds for bracketed IPv6 extraction (changed from absolute position to relative length to properly account for pos_init offset)
- Constrain IPv6 bracket validation to host portion only, preventing false negatives when brackets appear in URL paths or query strings
- Use memchr with length limit for consistent and safe bracket detection in both IPv6 and non-IPv6 cases
- Improve error handling in URL parsing with proper cleanup on failure
- Update TLS flag checking to use flb_stream_get_flag_status() for more reliable detection
Tests:
- Add test for IPv6 with HTTPS on default port 443
- Add test cases for brackets in URL paths and query strings
- Add test cases for malformed bracket scenarios
Addresses #10699
ECR images with changes:
- ipv6 - 509399602790.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-for-fluent-bit:ipv6-changes
- valgrind - 509399602790.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-for-fluent-bit:ipv6-changes-valgrind
Testing Before we can approve your change; please submit the following in a comment:
- [X] Example configuration file for the change
- [X] Debug log output from testing the change
- [X] Attached Valgrind output that shows no leaks or memory corruption was found
Conf/Logs available at - https://gist.github.com/ShelbyZ/63f6edd05fec039feae6c8c615db52e2 (includes full fluent-bit and valgrind)
If this is a change to packaging of containers or native binaries then please confirm it works for all targets.
- [N/A] Run local packaging test showing all targets (including any new ones) build.
- [N/A] Set
ok-package-testlabel to test for all targets (requires maintainer to do).
Documentation
- [N/A] Documentation required for this feature (however we may want to provide general IPv6 documentation somewhere...)
Backporting
- [N/A] Backport to latest stable release.
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.
Summary by CodeRabbit
-
New Features
- Host header now detects TLS at runtime and formats/brackets IPv6 addresses correctly, including handling of zone IDs and default HTTPS port behavior.
-
Bug Fixes
- Bracket-aware host and URL parsing with validation for malformed IPv6 brackets, improved URI defaults, and safer error/cleanup paths.
-
Tests
- Expanded host header and URL parsing tests covering IPv6/IPv4, bracketed/unbracketed forms, zone IDs, ports, and TLS/non‑TLS.
-
Chores
- Improved IPv6 networking compatibility on Windows builds.
✏️ Tip: You can customize this high-level summary in your review settings.
[!NOTE]
Other AI code review bot(s) detected
CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.
Walkthrough
Adds bracket-aware IPv6 validation and parsing to URL split routines; updates Host header composition to use runtime TLS status, strip IPv6 zone IDs, and apply RFC-compliant bracketing/port rules; adds Windows networking includes; and expands tests covering IPv6/IPv4 host/header and URL parsing cases.
Changes
| Cohort / File(s) | Summary |
|---|---|
URL parsing & IPv6 validation src/flb_utils.c |
Adds validate_ipv6_brackets() and bracket-aware host/port extraction; adjusts bracketed host length calculations; integrates bracket handling into flb_utils_url_split and flb_utils_url_split_sds; adds create_uri_with_slash(_sds) helpers; improves allocation checks, error handling, and cleanup. |
Host header generation src/flb_http_client.c |
Uses runtime TLS check via flb_stream_get_flag_status(&u->base, FLB_IO_TLS); detects unbracketed IPv6 and strips zone IDs for Host header; applies bracketing and port inclusion per TLS/default-port rules; preserves IPv4/domain and already-bracketed behavior. |
Windows networking includes src/flb_http_client.c, src/flb_network.c |
Adds Windows-specific headers (winsock2.h, ws2tcpip.h) under FLB_SYSTEM_WINDOWS and includes flb_compat.h where applicable. |
HTTP client tests (host header) tests/internal/http_client.c |
Adds helpers to verify Host header composition and a comprehensive test suite validating Host header formatting across IPv6 (plain, bracketed, with zone IDs), IPv4, domains, ports, and TLS vs non-TLS scenarios. |
URL parsing tests (utils) tests/internal/utils.c |
Extends url_checks with many IPv6-related URL cases: bracketed literals (with/without ports), URIs, queries, fragments, and malformed-bracket negative cases. |
Sequence Diagram(s)
sequenceDiagram
autonumber
participant T as Test/Caller
participant URL as flb_utils_url_split*
participant Val as validate_ipv6_brackets()
participant Conn as flb_http_client / Connection
participant Host as Host Header Composer
T->>URL: parse URL (may contain IPv6)
URL->>Val: validate bracket usage if IPv6-like
alt invalid brackets
Val-->>URL: error
URL-->>T: return error (cleanup)
else valid or not IPv6
Val-->>URL: bracket info
URL-->>T: proto, host, port, uri (bracket-aware)
T->>Conn: open connection (check runtime TLS flag)
Conn->>Host: compose Host header (calls flb_stream_get_flag_status)
alt unbracketed IPv6 detected
Host-->>Conn: strip zone ID if present, bracket address, include port per rules
else IPv4/domain/already-bracketed
Host-->>Conn: format host[:port] (omit default TLS port when applicable)
end
Conn-->>T: connection + Host header ready
end
Estimated code review effort
🎯 4 (Complex) | ⏱️ ~45 minutes
- Review focus:
validate_ipv6_brackets()correctness for edge cases (missing end bracket, malformed brackets, zone IDs).- Host header logic around runtime TLS detection, default-port omission, and consistent bracketing behavior.
- Memory allocation, cleanup, and error-return paths in
flb_utils_url_splitand_sdsvariants. - Tests: ensure expectations precisely match header formatting and parsing behavior across all IPv6/port permutations.
Poem
🐇 I hopped through brackets, trimmed a "%eth0" tail,
I wrapped lone IPv6 so hosts wouldn't fail.
Tests lined the burrow, sniffing ports and schemes,
Headers hugged addresses, neat as carrot dreams.
🥕
Pre-merge checks and finishing touches
❌ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | ⚠️ Warning | Docstring coverage is 25.93% which is insufficient. The required threshold is 80.00%. | You can run @coderabbitai generate docstrings to improve docstring coverage. |
✅ Passed checks (2 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |
| Title check | ✅ Passed | The title 'fix: properly handle IPv6 addresses in HTTP Host headers' clearly and accurately summarizes the main change across all modified files. |
✨ Finishing touches
- [ ] 📝 Generate docstrings
🧪 Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
