node-netmask icon indicating copy to clipboard operation
node-netmask copied to clipboard
verified publisher icon rs

Improper Input Validation

Open AlonNavon opened this issue 2 years ago • 0 comments

  1. In the latest 2.0.2 there was a rewrite of the IP validation. Effectively, in version 2.0.2 the sanity check that IP components are < 0xFFFFFFFF has been removed, because >>> 0 always converts them to a 32-bit unsigned long. This can cause trouble, for example this "IP" actually checks out as belonging to the localhost block: "4294967423.0.0.1" (because mod 2^32 it is equal to 127.0.0.1). Although it's obviously an invalid IP, this has the potential to create shenanigans, because other libraries probably are not making the exact same mistake.

  2. Another input validation issue is the use of the ParseInt function for the mask parameter. For example two possible inputs that generate a nonsensical state: (a) Try weird = new Netmask('1.2.3.4', -1) , and then the state of the netmask object includes a bitmask <0, and size > 2^32 among other oddities. The next() operation has an uncaught error in this case. (b) Try weird2 = new Netmask('1.2.3.4', 0.1). The constructor succeeds, but the state is similarly funky.

Best regards, Alon Navon, Seal Security

AlonNavon avatar Feb 05 '23 13:02 AlonNavon