add support for validating ip addresses for the backend target so we can throw a js error if the ip address is invalid

Jake Champion · Jake Champion · commit f1a4e70337ee · 2022-09-27T13:48:10.000+01:00
diff --git a/c-dependencies/js-compute-runtime/builtins/backend.cpp b/c-dependencies/js-compute-runtime/builtins/backend.cpp
@@ -29,6 +29,130 @@ std::vector<std::string_view> split(std::string_view string, char delimiter) {
   return result;
 }
 
+// An IPv6 (normal) address has the format y:y:y:y:y:y:y:y, where y is
+// called a segment and can be any hexadecimal value between 0 and FFFF. The
+// segments are separated by colons, not periods. An IPv6 normal address
+// must have eight segments; however, a short form notation can be used in
+// the TS4500 management GUI for segments that are zero, or those that have
+// leading zeros.
+bool isValidNormalIPv6(std::string_view ip, int maxSegments = 8) {
+  // if more than two consecutive colons then invalid
+  // if no consecutive colons, then there must be 8 segments
+  // if consecutive colons then there must be between 3 and 7 segments inclusive
+  // each segment must be at most 4 hexadecimal digits
+  auto emptySegments = 0;
+  auto segments = split(ip, ':');
+  if (segments.size() < 3) {
+    return false;
+  }
+  if (segments.size() > maxSegments + 1) {
+    return false;
+  }
+  auto firstSegmentIsEmpty = segments.front().length() == 0;
+  auto lastSegmentIsEmpty = segments.back().length() == 0;
+  for (auto segment : segments) {
+    if (segment.length() == 0) {
+      emptySegments++;
+      if (emptySegments == 3) {
+        if (segments.size() == 3) {
+          return true;
+        } else {
+          return false;
+        }
+      }
+    }
+    if (segment.length() == 0) {
+      continue;
+    }
+    if (segment.length() > 4) {
+      return false;
+    }
+
+    for (auto c : segment) {
+      if (!std::isxdigit(c)) {
+        return false;
+      }
+    }
+  }
+
+  if (emptySegments == 0 && segments.size() != maxSegments) {
+    return false;
+  }
+
+  // This would indicate not enough segments are in the ip
+  // E.G. :y
+  if (emptySegments == 1 && firstSegmentIsEmpty && segments.size() != maxSegments) {
+    return false;
+  }
+
+  // E.G. y:y:y:y:y::y:y:y
+  if (emptySegments == 2 && lastSegmentIsEmpty && segments.size() == maxSegments + 1) {
+    return true;
+  }
+  // This would indicate the ip has multiple :: which is not allowed
+  // E.G. y::y::y
+  if (emptySegments > 1 && !firstSegmentIsEmpty && !lastSegmentIsEmpty) {
+    return false;
+  }
+
+  if (emptySegments && segments.size() > maxSegments) {
+    return false;
+  }
+  return true;
+}
+
+bool isValidIPv4(std::string_view ip) {
+  auto sections = split(ip, '.');
+  if (sections.size() != 4) {
+    return false;
+  }
+  for (auto digits : sections) {
+    if (digits.length() > 1 && digits.front() == '0') {
+      return false;
+    }
+    int value;
+    const std::from_chars_result result =
+        std::from_chars(digits.data(), digits.data() + digits.size(), value);
+    if (result.ec == std::errc::invalid_argument || result.ec == std::errc::result_out_of_range) {
+      return false;
+    }
+    if (value > 255) {
+      return false;
+    }
+  }
+  return true;
+}
+
+// An IPv6 (dual) address combines an IPv6 and an IPv4 address and has the
+// following format: y:y:y:y:y:y:x.x.x.x. The IPv6 portion of the address
+// (indicated with y's) is always at the beginning, followed by the IPv4
+// portion (indicated with x's).
+// In the IPv6 portion of the address, y is called a segment and can be any
+// hexadecimal value between 0 and FFFF. The segments are separated by
+// colons, not periods. The IPv6 portion of the address must have six
+// segments but there is a short form notation for segments that are zero.
+// In the IPv4 portion of the address x is called an octet and must be a
+// decimal value between 0 and 255. The octets are separated by periods. The
+// IPv4 portion of the address must contain three periods and four octets.
+bool isValidDualIPv6(std::string_view ip) {
+  std::size_t found = ip.find_last_of(':');
+  auto ipv6 = ip[found - 1] == ':' ? ip.substr(0, found + 1) : ip.substr(0, found);
+  auto ipv4 = ip.substr(found + 1);
+  return isValidIPv4(ipv4) && isValidNormalIPv6(ipv6, 6);
+}
+
+bool isValidIP(std::string_view ip) {
+  if (ip.find(':') != std::string::npos) {
+    if (ip.find('.') != std::string::npos) {
+      return isValidDualIPv6(ip);
+    } else {
+      return isValidNormalIPv6(ip);
+    }
+  } else {
+    return isValidIPv4(ip);
+  }
+}
+
 // A "host" is a "hostname" and an optional "port" in the format hostname:port
 // A "hostname" is between 1 and 255 octets -- https://www.rfc-editor.org/rfc/rfc1123#page-13
 // A "hostname" must start with a letter or digit -- https://www.rfc-editor.org/rfc/rfc1123#page-13
@@ -331,8 +455,11 @@ bool Backend::set_target(JSContext *cx, JSObject *backend, JS::HandleValue targe
     return false;
   }
 
-  // TODO: also allow IP addresses
-  if (!isValidHost(targetString)) {
+  if (targetString == "::") {
+    JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_BACKEND_TARGET_INVALID);
+    return false;
+  }
+  if (!isValidHost(targetString) && !isValidIP(targetString)) {
     JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_BACKEND_TARGET_INVALID);
     return false;
   }
diff --git a/integration-tests/js-compute/fixtures/dynamic-backend/bin/index.js b/integration-tests/js-compute/fixtures/dynamic-backend/bin/index.js
@@ -325,18 +325,41 @@ routes.set('/', () => {
           "fastly.com:80",
           "fastly.com:443",
           "fastly.com:65535",
+          // Basic zero IPv4 address.
+          "0.0.0.0",
+          // Basic non-zero IPv4 address.
+          "192.168.140.255",
+
+          // TODO: These are commented out as the hostcall currently yields an error of "invalid authority" when given an ipv6 address
+          // Localhost IPv6.
+          // "::1",
+          // Fully expanded IPv6 address.
+          // "fd7a:115c:a1e0:ab12:4843:cd96:626b:430b",
+          // IPv6 with elided fields in the middle.
+          // "fd7a:115c::626b:430b",
+          // IPv6 with elided fields at the end.
+          // "fd7a:115c:a1e0:ab12:4843:cd96::",
+          // IPv6 with single elided field at the end.
+          // "fd7a:115c:a1e0:ab12:4843:cd96:626b::",
+          // IPv6 with single elided field in the middle.
+          // "fd7a:115c:a1e0::4843:cd96:626b:430b",
+          // IPv6 with the trailing 32 bits written as IPv4 dotted decimal. (4in6)
+          // "::ffff:192.168.140.255",
+          // IPv6 with capital letters.
+          // "FD9E:1A04:F01D::1",
         ];
         let i = 0;
         for (const target of targets) {
           let error = assertDoesNotThrow(() => {
-            new Backend({ name: 'target-property-valid-host-'+i, target })
+            console.log(target)
+            new Backend({ name: 'target-property-valid-host-' + i, target })
           })
           if (error) { return error }
           i++;
         }
         return pass()
       });
-      
+
       routes.set("/backend/constructor/parameter-target-property-invalid-host", async () => {
         const targets = [
           "-www.fastly.com",
@@ -348,11 +371,47 @@ routes.set('/', () => {
           "fastly.com:-1",
           "fastly.com:0",
           "fastly.com:65536",
+          // IPv4 address in windows-style "print all the digits" form.
+          // "010.000.015.001",
+          // IPv4 address with a silly amount of leading zeros.
+          // "000001.00000002.00000003.000000004",
+          // 4-in-6 with octet with leading zero
+          // "::ffff:1.2.03.4", 
+          // Basic zero IPv6 address.
+          "::",
+          // IPv6 with not enough fields
+          "1:2:3:4:5:6:7",
+          // IPv6 with too many fields
+          "1:2:3:4:5:6:7:8:9",
+          // IPv6 with 8 fields and a :: expander
+          "1:2:3:4::5:6:7:8",
+          // IPv6 with a field bigger than 2b
+          "fe801::1",
+          // IPv6 with non-hex values in field
+          "fe80:tail:scal:e::",
+          // IPv6 with a zone delimiter but no zone.
+          "fe80::1%",
+          // IPv6 (without ellipsis) with too many fields for trailing embedded IPv4.
+          "ffff:ffff:ffff:ffff:ffff:ffff:ffff:192.168.140.255",
+          // IPv6 (with ellipsis) with too many fields for trailing embedded IPv4.
+          "ffff::ffff:ffff:ffff:ffff:ffff:ffff:192.168.140.255",
+          // IPv6 with invalid embedded IPv4.
+          "::ffff:192.168.140.bad",
+          // IPv6 with multiple ellipsis ::.
+          "fe80::1::1",
+          // IPv6 with invalid non hex/colon character.
+          "fe80:1?:1",
+          // IPv6 with truncated bytes after single colon.
+          "fe80:",
+          ":::1",
+          ":0:1",
+          ":",
         ];
         let i = 0;
         for (const target of targets) {
           let error = assertThrows(() => {
-            new Backend({ name: 'target-property-invalid-host-'+i, target })
+            console.log(target)
+            new Backend({ name: 'target-property-invalid-host-' + i, target })
           }, TypeError, `Backend constructor: target does not contain a valid IPv4, IPv6, or hostname address`)
           if (error) { return error }
           i++;
@@ -604,7 +663,7 @@ routes.set('/', () => {
     // useSSL property
     {
       routes.set("/backend/constructor/parameter-useSSL-property-valid-boolean", async () => {
-        const types = [{},[],Symbol(),1,"2"];
+        const types = [{}, [], Symbol(), 1, "2"];
         for (const type of types) {
           let error = assertDoesNotThrow(() => {
             new Backend({ name: 'useSSL-property-valid-boolean' + type, target: 'a', useSSL: type })
@@ -805,7 +864,7 @@ routes.set('/', () => {
     // checkCertificate property
     {
       routes.set("/backend/constructor/parameter-checkCertificate-property-valid-boolean", async () => {
-        const types = [{},[],Symbol(),1,"2"];
+        const types = [{}, [], Symbol(), 1, "2"];
         for (const type of types) {
           let error = assertDoesNotThrow(() => {
             new Backend({ name: 'checkCertificate-property-valid-boolean' + type, target: 'a', checkCertificate: type })
@@ -865,7 +924,7 @@ routes.set('/', () => {
         return pass()
       });
     }
-   
+
     // sniHostname property
     {
       routes.set("/backend/constructor/parameter-sniHostname-property-empty-string", async () => {
