mirror of
https://github.com/webmin/webmin.git
synced 2026-06-09 22:40:23 +01:00
143 lines
7.4 KiB
Perl
143 lines
7.4 KiB
Perl
#!/usr/bin/perl
|
||
# Unit tests for IP-address validators / classifiers in web-lib-funcs.pl.
|
||
#
|
||
# Pure subs, no globals to set up. miniserv.pl carries its own copies of
|
||
# check_ipaddress / check_ip6address; those have their own tests in
|
||
# t/miniserv.t. This file exclusively exercises the web-lib-funcs versions,
|
||
# which have a slightly different IPv6 contract — the web-lib-funcs version
|
||
# accepts an /N netmask suffix.
|
||
|
||
use strict;
|
||
use warnings;
|
||
use Test::More;
|
||
use File::Basename qw(dirname);
|
||
use File::Spec;
|
||
|
||
my $script = File::Spec->rel2abs(
|
||
File::Spec->catfile(dirname(__FILE__), '..', 'web-lib-funcs.pl'));
|
||
require $script;
|
||
|
||
# check_ipaddress — strict dotted-quad IPv4.
|
||
subtest 'check_ipaddress' => sub {
|
||
ok( main::check_ipaddress('1.2.3.4'), 'plain IPv4 accepted');
|
||
ok( main::check_ipaddress('0.0.0.0'), 'all-zero accepted');
|
||
ok( main::check_ipaddress('255.255.255.255'), 'all-ones accepted');
|
||
|
||
ok(!main::check_ipaddress('256.0.0.1'), 'octet > 255 rejected');
|
||
ok(!main::check_ipaddress('1.2.3'), 'too-few octets rejected');
|
||
ok(!main::check_ipaddress('1.2.3.4.5'), 'too-many octets rejected');
|
||
ok(!main::check_ipaddress('1.2.3.x'), 'non-numeric octet rejected');
|
||
ok(!main::check_ipaddress(''), 'empty rejected');
|
||
ok(!main::check_ipaddress('not an ip'), 'garbage rejected');
|
||
ok(!main::check_ipaddress(' 1.2.3.4'), 'leading whitespace rejected');
|
||
ok(!main::check_ipaddress('1.2.3.4 '), 'trailing whitespace rejected');
|
||
};
|
||
|
||
# check_ip6address — IPv6, optionally with /N netmask suffix.
|
||
#
|
||
# Accepts the standard text forms, the "::" shorthand at any position, an
|
||
# optional /N netmask, and the IPv4-in-IPv6 dotted-quad tail (RFC 4291
|
||
# §2.5.5: "::ffff:N.N.N.N" mapped and "X:X:X:X:X:X:N.N.N.N" compatible).
|
||
subtest 'check_ip6address' => sub {
|
||
ok( main::check_ip6address('::'), 'unspecified accepted');
|
||
ok( main::check_ip6address('::1'), 'loopback accepted');
|
||
ok( main::check_ip6address('2001:db8::1'), 'compressed form accepted');
|
||
ok( main::check_ip6address('1:2:3:4:5:6:7:8'), 'full eight-block form accepted');
|
||
ok( main::check_ip6address('2001:db8::'), 'trailing :: accepted (no netmask)');
|
||
|
||
# Netmask suffix — both with leading and trailing :: shorthand.
|
||
ok( main::check_ip6address('::1/64'), 'address/netmask accepted with leading ::');
|
||
ok( main::check_ip6address('2001:db8::/32'), 'address/netmask accepted with trailing ::');
|
||
ok( main::check_ip6address('::/0'), '::/0 default route accepted');
|
||
ok( main::check_ip6address('fe80::/10'), 'fe80::/10 link-local prefix accepted');
|
||
ok(!main::check_ip6address('::1/200'), 'netmask > 128 rejected');
|
||
|
||
# IPv4-in-IPv6 tails.
|
||
ok( main::check_ip6address('::ffff:10.0.0.1'), 'IPv4-mapped (::ffff:N.N.N.N) accepted');
|
||
ok( main::check_ip6address('::ffff:0.0.0.0'), 'IPv4-mapped all-zero accepted');
|
||
ok( main::check_ip6address('::1.2.3.4'), 'IPv4-compatible (::N.N.N.N) accepted');
|
||
ok( main::check_ip6address('0:0:0:0:0:ffff:1.2.3.4'),
|
||
'fully-expanded IPv4-mapped accepted');
|
||
ok(!main::check_ip6address('::ffff:256.0.0.1'), 'IPv4-mapped with octet > 255 rejected');
|
||
ok(!main::check_ip6address('::ffff:1.2.3'), 'IPv4-mapped with too-few octets rejected');
|
||
|
||
# Bare IPv4 must be rejected — callers (e.g. ip_match) use this sub
|
||
# as a type discriminator and a true result re-routes IPv4 input
|
||
# through the IPv6 codepath.
|
||
ok(!main::check_ip6address('10.0.0.1'), 'bare IPv4 rejected (type-discriminator contract)');
|
||
ok(!main::check_ip6address('1.2.3.4'), 'bare IPv4 rejected (type-discriminator contract)');
|
||
|
||
# Degenerate netmask shapes — stripping "/N" from the input must not
|
||
# let an address that's otherwise just a stray colon (or empty) pass.
|
||
# perl's split() trims trailing empties hard, so e.g. split(":") is
|
||
# () not (""), and our @blocks==0 guard catches it.
|
||
ok(!main::check_ip6address(':/64'), 'bare colon with netmask rejected');
|
||
ok(!main::check_ip6address('/64'), 'netmask without address rejected');
|
||
ok(!main::check_ip6address(':'), 'bare colon rejected');
|
||
ok(!main::check_ip6address('::/'), 'trailing slash with no digits rejected');
|
||
ok(!main::check_ip6address('//64'), 'leading slash with netmask rejected');
|
||
|
||
ok(!main::check_ip6address('gggg::1'), 'non-hex rejected');
|
||
ok(!main::check_ip6address('1:2:3:4:5:6:7:8:9'), 'too many groups rejected');
|
||
ok(!main::check_ip6address('::1::2'), 'multiple :: rejected');
|
||
ok(!main::check_ip6address('not an addr'), 'garbage rejected');
|
||
};
|
||
|
||
# is_non_public_ipaddress — RFC1918 + reserved-range classifier.
|
||
#
|
||
# Returns 1 for: 0.x, 10.x, 127.x, 169.254/16, 172.16/12, 192.168/16,
|
||
# 100.64/10 (CGNAT), 224+/4 (multicast/reserved); IPv6 loopback, link-local
|
||
# (fe80–febf), ULA (fc00/fd00), and ::ffff:N.N.N.N when the wrapped IPv4
|
||
# is itself non-public.
|
||
subtest 'is_non_public_ipaddress (IPv4)' => sub {
|
||
# Private / reserved.
|
||
ok( main::is_non_public_ipaddress('10.0.0.1'), '10/8 private');
|
||
ok( main::is_non_public_ipaddress('172.16.0.1'), '172.16/12 low bound');
|
||
ok( main::is_non_public_ipaddress('172.31.255.255'), '172.16/12 high bound');
|
||
ok( main::is_non_public_ipaddress('192.168.1.1'), '192.168/16 private');
|
||
ok( main::is_non_public_ipaddress('127.0.0.1'), '127/8 loopback');
|
||
ok( main::is_non_public_ipaddress('169.254.1.1'), '169.254/16 link-local');
|
||
ok( main::is_non_public_ipaddress('0.1.2.3'), '0/8 reserved');
|
||
ok( main::is_non_public_ipaddress('100.64.0.1'), 'CGNAT 100.64/10 low');
|
||
ok( main::is_non_public_ipaddress('100.127.255.255'), 'CGNAT 100.64/10 high');
|
||
ok( main::is_non_public_ipaddress('224.0.0.1'), '224+ multicast / reserved');
|
||
ok( main::is_non_public_ipaddress('255.255.255.255'), '255+ reserved');
|
||
|
||
# Just-outside boundaries.
|
||
ok(!main::is_non_public_ipaddress('11.0.0.1'), '11/8 is public');
|
||
ok(!main::is_non_public_ipaddress('172.15.255.255'), '172.15 below private block');
|
||
ok(!main::is_non_public_ipaddress('172.32.0.0'), '172.32 above private block');
|
||
ok(!main::is_non_public_ipaddress('192.167.0.0'), '192.167 is public');
|
||
ok(!main::is_non_public_ipaddress('169.253.0.0'), '169.253 is public');
|
||
ok(!main::is_non_public_ipaddress('100.63.255.255'), 'just below CGNAT');
|
||
ok(!main::is_non_public_ipaddress('100.128.0.0'), 'just above CGNAT');
|
||
|
||
# Plainly public.
|
||
ok(!main::is_non_public_ipaddress('8.8.8.8'), 'public DNS resolver');
|
||
ok(!main::is_non_public_ipaddress('1.1.1.1'), 'public DNS resolver');
|
||
};
|
||
|
||
subtest 'is_non_public_ipaddress (IPv6)' => sub {
|
||
ok( main::is_non_public_ipaddress('::1'), 'loopback');
|
||
ok( main::is_non_public_ipaddress('::'), 'unspecified');
|
||
ok( main::is_non_public_ipaddress('fe80::1'), 'link-local (fe80)');
|
||
ok( main::is_non_public_ipaddress('feb0::1'), 'link-local (feb0)');
|
||
ok( main::is_non_public_ipaddress('fc00::1'), 'ULA (fc00)');
|
||
ok( main::is_non_public_ipaddress('fd12::1'), 'ULA (fd12)');
|
||
|
||
# IPv4-mapped (::ffff:N.N.N.N) recurses on the embedded IPv4.
|
||
ok( main::is_non_public_ipaddress('::ffff:10.0.0.1'),
|
||
'::ffff:<private> recurses → non-public');
|
||
ok( main::is_non_public_ipaddress('::ffff:192.168.1.1'),
|
||
'::ffff:<rfc1918> recurses → non-public');
|
||
ok(!main::is_non_public_ipaddress('::ffff:8.8.8.8'),
|
||
'::ffff:<public> reported as public');
|
||
|
||
# Plainly public IPv6.
|
||
ok(!main::is_non_public_ipaddress('2001:db8::1'), '2001:db8 is public per classifier');
|
||
ok(!main::is_non_public_ipaddress('2606:4700::1111'),
|
||
'global unicast address is public');
|
||
};
|
||
|
||
done_testing();
|