Feedback: Add IPv6 address handling, including unbracketed.

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 3e9bb96de589 · 2026-01-24T17:19:53.000-05:00
diff --git a/libwebauthn/src/ops/webauthn/idl/rpid.rs b/libwebauthn/src/ops/webauthn/idl/rpid.rs
@@ -52,9 +52,17 @@ impl TryFrom<&str> for RelyingPartyId {
             return Err(Error::EmptyRelyingPartyId);
         }
 
+        // Check for IP addresses (both IPv4 and IPv6)
+        // IPv6 addresses may be bracketed (e.g., "[::1]") per RFC 2732
         if value.parse::<IpAddr>().is_ok() {
             return Err(Error::IpAddressNotAllowed(value.to_string()));
         }
+        if value.starts_with('[') && value.ends_with(']') {
+            let inner = &value[1..value.len() - 1];
+            if inner.parse::<IpAddr>().is_ok() {
+                return Err(Error::IpAddressNotAllowed(value.to_string()));
+            }
+        }
 
         let ascii = idna::domain_to_ascii(value)
             .map_err(|_| Error::InvalidRelyingPartyId(value.to_string()))?;
@@ -128,9 +136,40 @@ mod tests {
     }
 
     #[test]
-    fn test_relying_party_id_rejects_ip_address() {
-        let result = RelyingPartyId::try_from("127.0.0.1");
-        assert!(matches!(result, Err(Error::IpAddressNotAllowed(_))));
+    fn test_relying_party_id_rejects_ipv4_address() {
+        let ipv4_addresses = ["127.0.0.1", "192.168.1.1", "10.0.0.1", "255.255.255.255"];
+        for ip in ipv4_addresses {
+            let result = RelyingPartyId::try_from(ip);
+            assert!(
+                matches!(result, Err(Error::IpAddressNotAllowed(_))),
+                "Expected IPv4 address '{}' to be rejected",
+                ip
+            );
+        }
+    }
+
+    #[test]
+    fn test_relying_party_id_rejects_ipv6_address() {
+        let ipv6_addresses = [
+            // Bracketed format (RFC 2732)
+            "[::1]",
+            "[2001:db8::1]",
+            "[fe80::1]",
+            "[::ffff:192.168.1.1]",
+            // Unbracketed format
+            "::1",
+            "2001:db8::1",
+            "fe80::1",
+            "::ffff:192.168.1.1",
+        ];
+        for ip in ipv6_addresses {
+            let result = RelyingPartyId::try_from(ip);
+            assert!(
+                matches!(result, Err(Error::IpAddressNotAllowed(_))),
+                "Expected IPv6 address '{}' to be rejected",
+                ip
+            );
+        }
     }
 
     #[test]
