fix: normalize scope within range to ensure allowlist check (#3735)

LaurenceJJones · web-flow · commit 1d89310e0247 · 2025-07-22T10:39:22.000+02:00
diff --git a/cmd/crowdsec-cli/clidecision/import.go b/cmd/crowdsec-cli/clidecision/import.go
@@ -199,7 +199,7 @@ func (cli *cliDecisions) import_(ctx context.Context, input string, duration str
 		decisionsStr := make([]string, 0, len(chunk))
 
 		for _, d := range chunk {
-			if *d.Scope != types.Ip && *d.Scope != types.Range {
+			if normalizedScope := types.NormalizeScope(*d.Scope); normalizedScope != types.Ip && normalizedScope != types.Range {
 				continue
 			}
 
diff --git a/test/bats/cscli-allowlists.bats b/test/bats/cscli-allowlists.bats
@@ -167,6 +167,18 @@ teardown() {
     assert_stderr --partial 'Decision successfully added'
 }
 
+@test "cscli allowlist: check lowercase range decisions import" {
+    rune -0 cscli allowlist create foo -d 'a foo'
+    rune -0 cscli allowlist add foo 192.168.0.0/16
+    rune -0 cscli decisions import -i - <<<'192.168.0.0/24' --format values --scope range 
+    assert_output - <<-EOT
+	Parsing values
+	Value 192.168.0.0/24 is allowlisted by [192.168.0.0/16 from foo]
+	Imported 0 decisions
+	EOT
+    refute_stderr
+}
+
 @test "cscli allowlists check" {
     rune -0 cscli allowlist create foo -d 'a foo'
     rune -0 cscli allowlist add foo 192.168.0.0/16

Original file line number	Diff line number	Diff line change
`@@ -199,7 +199,7 @@ func (cli *cliDecisions) import_(ctx context.Context, input string, duration str`
`199`	`199`	`decisionsStr := make([]string, 0, len(chunk))`
`200`	`200`
`201`	`201`	`for _, d := range chunk {`
`202`		`- if d.Scope != types.Ip && d.Scope != types.Range {`
	`202`	`+ if normalizedScope := types.NormalizeScope(*d.Scope); normalizedScope != types.Ip && normalizedScope != types.Range {`
`203`	`203`	`continue`
`204`	`204`	`}`
`205`	`205`