nope-ip removal - Phase 5

Adding functions to net_utils.js | nope-ip removal - Phase 5
`net_utils.js`

- Updating `is_private` to capture more cases
- Adding `ip_to_buffer_safe` that will allocate a buffer for the given IP address
- Adding `is_ipv6_loopback_buffer` that will ensure that an IPv6 buffer is a loopback
- Adding `is_equal` that will check if two addresses are equal

`ice.js`

- Calling the native `is_private` from `net_utils`

`http_utils`
- Calling the native `is_equal` from `net_utils`

- Adding jest tests

Signed-off-by: liranmauda <[email protected]>

Author: liranmauda

src/rpc/ice.js

@@ -20,6 +20,7 @@ const dbg = require('../util/debug_module')(__filename);
 const stun = require('./stun');
 const config = require('../../config');
 const js_utils = require('../util/js_utils');
+const net_utils = require('../util/net_utils');
 const url_utils = require('../util/url_utils');
 const FrameStream = require('../util/frame_stream');
 const buffer_utils = require('../util/buffer_utils');
@@ -1311,7 +1312,7 @@ Ice.prototype.close = function() {
 function IceCandidate(cand) {
     const is_private_no_throw = address => {
         try {
-            return ip_module.isPrivate(address);
+            return net_utils.is_private(address);
         } catch (err) {
             return false;
         }

src/test/unit_tests/util_functions_tests/test_net_utils.test.js

@@ -136,15 +136,125 @@ describe('IP Utils', () => {
         expect(net_utils.is_localhost('google.com')).toBe(false);
     });
 
-    it('should return true for private IPv4 addresses or false to any other address', () => {
+    it('should return true for the IPv6 loopback address ::1', () => {
+        const buf = Buffer.alloc(16);
+        buf[15] = 1; // last byte is 1
+        expect(net_utils.is_ipv6_loopback_buffer(buf)).toBe(true);
+    });
+
+    it('should return false for :: (all zeros)', () => {
+        const buf = Buffer.alloc(16); // all zeros
+        expect(net_utils.is_ipv6_loopback_buffer(buf)).toBe(false);
+    });
+
+    it('should return false for random non-loopback IPv6 address', () => {
+        const buf = Buffer.from([
+            0x20, 0x01, 0x0d, 0xb8,
+            0x85, 0xa3, 0x00, 0x00,
+            0x00, 0x00, 0x8a, 0x2e,
+            0x03, 0x70, 0x73, 0x34
+        ]);
+        expect(net_utils.is_ipv6_loopback_buffer(buf)).toBe(false);
+    });
+
+    it('should return false if last byte is not 1', () => {
+        const buf = Buffer.alloc(16);
+        buf[15] = 2; // last byte is 2
+        expect(net_utils.is_ipv6_loopback_buffer(buf)).toBe(false);
+    });
+
+    it('should return false if first 15 bytes are not all zero', () => {
+        const buf = Buffer.alloc(16);
+        buf[0] = 1; // first byte not zero
+        buf[15] = 1; // last byte correct
+        expect(net_utils.is_ipv6_loopback_buffer(buf)).toBe(false);
+    });
+
+    it('should return false for buffers of incorrect length', () => {
+        const shortBuf = Buffer.alloc(8);
+        expect(net_utils.is_ipv6_loopback_buffer(shortBuf)).toBe(false);
+
+        const longBuf = Buffer.alloc(32);
+        longBuf[31] = 1;
+        expect(net_utils.is_ipv6_loopback_buffer(longBuf)).toBe(false);
+    });
+
+    it('should return true for 10/8', () => {
         expect(net_utils.is_private('10.0.0.1')).toBe(true);
+        expect(net_utils.is_private('10.255.255.255')).toBe(true);
+    });
+
+    it('should return true for 172.16.0.0 – 172.31.255.255', () => {
         expect(net_utils.is_private('172.16.0.1')).toBe(true);
-        expect(net_utils.is_private('192.168.1.1')).toBe(true);
+        expect(net_utils.is_private('172.31.255.254')).toBe(true);
+        expect(net_utils.is_private('172.15.0.1')).toBe(false); // outside range
+        expect(net_utils.is_private('172.32.0.1')).toBe(false); // outside range
+    });
+
+    it('should return true for 192.168/16', () => {
+        expect(net_utils.is_private('192.168.0.1')).toBe(true);
+        expect(net_utils.is_private('192.168.255.255')).toBe(true);
+    });
+
+    it('should return true for loopback 127/8', () => {
+        expect(net_utils.is_private('127.0.0.1')).toBe(true);
+        expect(net_utils.is_private('127.255.255.255')).toBe(true);
+    });
+
+    it('should return true for link-local 169.254/16', () => {
+        expect(net_utils.is_private('169.254.1.1')).toBe(true);
+    });
+
+    it('should return false for public IPv4', () => {
         expect(net_utils.is_private('8.8.8.8')).toBe(false);
         expect(net_utils.is_private('1.1.1.1')).toBe(false);
-        expect(net_utils.is_private('2001:db8::1')).toBe(false);
+        expect(net_utils.is_private('172.32.0.1')).toBe(false);
+        expect(net_utils.is_private('172.15.0.1')).toBe(false);
+    });
+
+    // IPv4 with CIDR
+    it('should correctly handle IPv4 addresses with CIDR', () => {
+        expect(net_utils.is_private('10.1.2.3/24')).toBe(true);
+        expect(net_utils.is_private('8.8.8.8/32')).toBe(false);
+    });
+
+    // IPv6 unspecified (::)
+    it('should return true for ::', () => {
+        expect(net_utils.is_private('::')).toBe(true);
+    });
+
+    // IPv6 loopback (::1)
+    it('should return true for ::1', () => {
+        expect(net_utils.is_private('::1')).toBe(true);
     });
 
+    // IPv6 ULA fc00::/7
+    it('should return true for fc00::/7', () => {
+        expect(net_utils.is_private('fc00::1')).toBe(true);
+        expect(net_utils.is_private('fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff')).toBe(true);
+        expect(net_utils.is_private('fe00::1')).toBe(false);
+    });
+
+    // IPv6 link-local fe80::/10
+    it('should return true for fe80::/10', () => {
+        expect(net_utils.is_private('fe80::1')).toBe(true);
+        expect(net_utils.is_private('febf::1')).toBe(true);
+        expect(net_utils.is_private('fec0::1')).toBe(false);
+    });
+
+    // IPv4-mapped IPv6
+    it('should correctly detect IPv4-mapped IPv6 addresses', () => {
+        expect(net_utils.is_private('::ffff:10.0.0.1')).toBe(true);
+        expect(net_utils.is_private('::ffff:8.8.8.8')).toBe(false);
+        expect(net_utils.is_private('::ffff:192.168.1.1')).toBe(true);
+    });
+
+    // Invalid addresses
+    it('should return false for invalid addresses', () => {
+        expect(net_utils.is_private('invalid')).toBe(false);
+        expect(net_utils.is_private('300.300.300.300')).toBe(false);
+        expect(net_utils.is_private('::gggg')).toBe(false);
+    });
 
     it('should return true for public addresses or false for private addresses', () => {
         expect(net_utils.is_public('10.0.0.1')).toBe(false);
@@ -155,4 +265,65 @@ describe('IP Utils', () => {
         expect(net_utils.is_public('2001:db8::1')).toBe(true);
     });
 
+    it('should return a 4-byte buffer for IPv4', () => {
+        const buf = net_utils.ip_to_buffer_safe('192.168.1.1');
+        expect(buf).toBeInstanceOf(Buffer);
+        expect(buf.length).toBe(4);
+        expect(buf).toEqual(Buffer.from([192, 168, 1, 1]));
+    });
+
+    it('should return a 16-byte buffer for IPv6', () => {
+        const buf = net_utils.ip_to_buffer_safe('::1');
+        expect(buf).toBeInstanceOf(Buffer);
+        expect(buf.length).toBe(16);
+        // Loopback IPv6 is all zeros except last byte
+        expect(buf[15]).toBe(1);
+    });
+
+    it('should return null for invalid IP', () => {
+        expect(net_utils.ip_to_buffer_safe('invalid')).toBeNull();
+        expect(net_utils.ip_to_buffer_safe('300.300.300.300')).toBeNull();
+        expect(net_utils.ip_to_buffer_safe('::gggg')).toBeNull();
+    });
+
+    // IPv4 equality
+    it('should return true for identical IPv4 addresses', () => {
+        expect(net_utils.is_equal('192.168.1.1', '192.168.1.1')).toBe(true);
+    });
+
+    it('should return false for different IPv4 addresses', () => {
+        expect(net_utils.is_equal('192.168.1.1', '192.168.1.2')).toBe(false);
+    });
+
+    // IPv6 equality
+    it('should return true for identical IPv6 addresses', () => {
+        expect(net_utils.is_equal('::1', '::1')).toBe(true);
+    });
+
+    it('should return false for different IPv6 addresses', () => {
+        expect(net_utils.is_equal('::1', '::2')).toBe(false);
+    });
+
+    // IPv4 vs IPv6-mapped IPv4
+    it('should return true for IPv4 and its IPv6-mapped equivalent', () => {
+        expect(net_utils.is_equal('127.0.0.1', '::ffff:127.0.0.1')).toBe(true);
+        expect(net_utils.is_equal('192.168.1.1', '::ffff:192.168.1.1')).toBe(true);
+    });
+
+    it('should return false for IPv4 and non-matching IPv6-mapped address', () => {
+        expect(net_utils.is_equal('192.168.1.1', '::ffff:192.168.1.2')).toBe(false);
+    });
+
+    // Invalid IPs
+    it('should return false if either address is invalid', () => {
+        expect(net_utils.is_equal('invalid', '192.168.1.1')).toBe(false);
+        expect(net_utils.is_equal('192.168.1.1', 'invalid')).toBe(false);
+        expect(net_utils.is_equal('invalid', 'also.invalid')).toBe(false);
+    });
+
+    // Mixed IPv4 and IPv6
+    it('should return false for IPv4 and unrelated IPv6', () => {
+        expect(net_utils.is_equal('192.168.1.1', '::1')).toBe(false);
+    });
+
 });

src/util/http_utils.js

@@ -432,7 +432,7 @@ function should_proxy(hostname) {
     for (const { kind, addr } of no_proxy_list) {
         dbg.log3(`should_proxy: an item from no_proxy_list: kind ${kind} addr ${addr}`);
         if (isIp) {
-            if (kind === 'IP' && ip_module.isEqual(addr, hostname)) {
+            if (kind === 'IP' && net_utils.is_equal(addr, hostname)) {
                 return false;
             }
             if (kind === 'CIDR' && ip_module.cidrSubnet(addr).contains(hostname)) {

src/util/net_utils.js

@@ -49,6 +49,19 @@ function is_loopback(address) {
     return address.startsWith('127.') || address === '::1';
 }
 
+/**
+ * is_ipv6_loopback_buffer will check if the buffer is a loopback address
+ * it will check if the first 15 bytes are 0 and the last byte is 1
+ * this is the representation of loopback address in IPv6
+ * @param {Buffer} buf 
+ * @returns {boolean}
+ */
+function is_ipv6_loopback_buffer(buf) {
+    if (!Buffer.isBuffer(buf) || buf.length !== 16) return false;
+    return buf.every((b, i) => (i < 15 ? b === 0 : b === 1));
+}
+
+
 /**
  * is_localhost will check if the address is localhost
  * @param {string} address
@@ -64,11 +77,50 @@ function is_localhost(address) {
  * @returns {boolean}
  */
 function is_private(address) {
-    return (
-        address.startsWith('10.') ||
-        address.startsWith('172.') ||
-        address.startsWith('192.168.')
-    );
+    // Normalize and strip optional CIDR suffix
+    const addr = String(address).split('/')[0];
+    // Unwrap IPv6-mapped IPv4
+    const v4 = unwrap_ipv6(addr);
+
+    // IPv4 ranges
+    if (net.isIPv4(v4)) {
+        return (/^10\./).test(v4) || // 10.0.0.0/8
+            (/^192\.168\./).test(v4) || // 192.168.0.0/16
+            (/^172\.(1[6-9]|2[0-9]|3[0-1])\./).test(v4) || // 172.16.0.0 – 172.31.255.255
+            (/^127\./).test(v4) || // loopback
+            (/^169\.254\./).test(v4); // link-local
+    }
+
+    // IPv6 ranges
+    if (net.isIPv6(addr)) {
+        const buf = ip_to_buffer_safe(addr);
+        if (!buf) return false;
+
+        // :: (unspecified)
+        const is_unspecified = buf.every(b => b === 0);
+        if (is_unspecified) return true;
+
+        // ::1 (loopback)
+        if (is_ipv6_loopback_buffer(buf)) return true;
+
+        // fc00::/7 (ULA)
+        if (buf[0] >= 0xfc && buf[0] <= 0xfd) return true;
+
+        // fe80::/10 (link-local)
+        if (buf[0] === 0xfe && buf[1] >= 0x80 && buf[1] <= 0xbf) return true;
+
+        // ::ffff:a.b.c.d (IPv4-mapped) – classify by embedded IPv4
+        const is_v4_mapped = buf.readUInt32BE(0) === 0 &&
+            buf.readUInt32BE(4) === 0 &&
+            buf.readUInt16BE(8) === 0 &&
+            buf.readUInt16BE(10) === 0xffff;
+        if (is_v4_mapped) {
+            const embedded_v4 = `${buf[12]}.${buf[13]}.${buf[14]}.${buf[15]}`;
+            return is_private(embedded_v4);
+        }
+        return false;
+    }
+    return false;
 }
 
 /**
@@ -228,6 +280,48 @@ function find_ifc_containing_address(address) {
     }
 }
 
+/**
+ * will allocate a buffer for the given IP address
+ * buffer size is determined by the IP version
+ * @param {string} ip
+ * @returns {Buffer|null}
+ */
+function ip_to_buffer_safe(ip) {
+    if (net.isIPv4(ip)) {
+        return ip_toBuffer(ip, Buffer.alloc(4), 0);
+    } else if (net.isIPv6(ip)) {
+        return ip_toBuffer(ip, Buffer.alloc(16), 0);
+    } else {
+        return null; // invalid IP
+    }
+}
+
+/**
+ * is_equal will check if two addresses are equal
+ * it will handle both IPv4 and IPv6 addresses, including IPv6-mapped IPv4
+ * @param {string} address1
+ * @param {string} address2
+ * @returns {boolean}
+ */
+function is_equal(address1, address2) {
+    const buffer1 = ip_to_buffer_safe(address1);
+    const buffer2 = ip_to_buffer_safe(address2);
+
+    // if either address is invalid, return false
+    if (!buffer1 || !buffer2) return false;
+
+    // checks when the ips are of different type (v4 and v6)
+    if (buffer1.length !== buffer2.length) {
+        if (buffer1.length === 4) return address2 === `::ffff:${address1}`;
+        if (buffer2.length === 4) return address1 === `::ffff:${address2}`;
+        return false;
+    }
+
+    // compare the buffers when the ips are of the same type
+    return buffer1.equals(buffer2);
+}
+
+
 exports.is_ip = is_ip;
 exports.is_fqdn = is_fqdn;
 exports.is_cidr = is_cidr;
@@ -238,6 +332,7 @@ exports.ip_toString = ip_toString;
 exports.ip_toBuffer = ip_toBuffer;
 exports.ip_to_long = ip_to_long;
 exports.find_ifc_containing_address = find_ifc_containing_address;
+exports.is_equal = is_equal;
 
 /// EXPORTS FOR TESTING:
 exports.normalize_family = normalize_family;
@@ -247,3 +342,5 @@ exports.is_public = is_public;
 exports.ipv4_to_buffer = ipv4_to_buffer;
 exports.ipv6_to_buffer = ipv6_to_buffer;
 exports.expend_ipv6 = expend_ipv6;
+exports.ip_to_buffer_safe = ip_to_buffer_safe;
+exports.is_ipv6_loopback_buffer = is_ipv6_loopback_buffer;