From 9bc9e57521f702a9a6b17020ede508a067e43cd5 Mon Sep 17 00:00:00 2001 From: Scott Koranda Date: Mon, 25 Nov 2019 18:58:12 -0600 Subject: [PATCH 1/2] Fix ipv6 validation for addresses with brackets Fix ipv6 validation for addresses that include the brackets, such as [2001:8003:5555:9999:555a:5555:c77:d5c5]. See https://tools.ietf.org/html/rfc4038#section-5.1 regarding the inclusion of brackets in the address. The Shibboleth IdP sends ipv6 addresses that include the brackets. --- src/saml2/validate.py | 2 ++ tests/test_13_validate.py | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/src/saml2/validate.py b/src/saml2/validate.py index 8b0533f96..c6caf47d9 100644 --- a/src/saml2/validate.py +++ b/src/saml2/validate.py @@ -133,6 +133,7 @@ def valid_ipv4(address): IPV6_PATTERN = re.compile(r""" ^ \s* # Leading whitespace + \[? # See https://tools.ietf.org/html/rfc4038#section-5.1 (?!.*::.*::) # Only a single wildcard allowed (?:(?!:)|:(?=:)) # Colon iff it would be part of a wildcard (?: # Repeat 6 times: @@ -153,6 +154,7 @@ def valid_ipv4(address): (?:25[0-4]|2[0-4]\d|1\d\d|[1-9]?\d) ){3} ) + \]? # See https://tools.ietf.org/html/rfc4038#section-5.1 \s* # Trailing whitespace $ """, re.VERBOSE | re.IGNORECASE | re.DOTALL) diff --git a/tests/test_13_validate.py b/tests/test_13_validate.py index ba85e6cbe..9c91299a7 100644 --- a/tests/test_13_validate.py +++ b/tests/test_13_validate.py @@ -13,6 +13,7 @@ from saml2.validate import valid_any_uri from saml2.validate import NotValid from saml2.validate import valid_anytype +from saml2.validate import valid_address from pytest import raises @@ -120,3 +121,10 @@ def test_valid_anytype(): assert valid_anytype("P1Y2M3DT10H30M") assert valid_anytype("urn:oasis:names:tc:SAML:2.0:attrname-format:uri") +def test_valid_address(): + assert valid_address("130.239.16.3") + assert valid_address("2001:8003:5555:9999:555a:5555:c77:d5c5") + + # See https://tools.ietf.org/html/rfc4038#section-5.1 regarding + # the inclusion of brackets in the ipv6 address below. + assert valid_address("[2001:8003:5555:9999:555a:5555:c77:d5c5]") From 95911d9e550ddee6ce8ac4feb99ac15a43c15a8d Mon Sep 17 00:00:00 2001 From: Ivan Kanakarakis Date: Tue, 26 Nov 2019 12:28:44 +0200 Subject: [PATCH 2/2] Extend checks for IPv6 addresses - Make sure enclosing brackets match. - Use the built-in classes/checks for the IPv6/IPv4 address format. - Extend tests to bad cases Signed-off-by: Ivan Kanakarakis --- src/saml2/validate.py | 56 +++++++++++---------------------------- tests/test_13_validate.py | 17 ++++++++++++ 2 files changed, 33 insertions(+), 40 deletions(-) diff --git a/src/saml2/validate.py b/src/saml2/validate.py index c6caf47d9..26de5472f 100644 --- a/src/saml2/validate.py +++ b/src/saml2/validate.py @@ -4,6 +4,9 @@ import struct import base64 import time +from ipaddress import AddressValueError +from ipaddress import IPv4Address +from ipaddress import IPv6Address from saml2 import time_util @@ -112,57 +115,30 @@ def validate_before(not_before, slack): def valid_address(address): + """Validate IPv4/IPv6 addresses.""" if not (valid_ipv4(address) or valid_ipv6(address)): raise NotValid("address") return True def valid_ipv4(address): - parts = address.split(".") - if len(parts) != 4: + """Validate IPv4 addresses.""" + try: + IPv4Address(address) + except AddressValueError: return False - for item in parts: - try: - if not 0 <= int(item) <= 255: - raise NotValid("ipv4") - except ValueError: - return False return True -# -IPV6_PATTERN = re.compile(r""" - ^ - \s* # Leading whitespace - \[? # See https://tools.ietf.org/html/rfc4038#section-5.1 - (?!.*::.*::) # Only a single wildcard allowed - (?:(?!:)|:(?=:)) # Colon iff it would be part of a wildcard - (?: # Repeat 6 times: - [0-9a-f]{0,4} # A group of at most four hexadecimal digits - (?:(?<=::)|(?