Skip to content

fix: Validate IP octet ranges in firewall init script#32854

Open
anshul-garg27 wants to merge 1 commit intoanthropics:mainfrom
anshul-garg27:anshullkgarg/fix-firewall-ip-validation
Open

fix: Validate IP octet ranges in firewall init script#32854
anshul-garg27 wants to merge 1 commit intoanthropics:mainfrom
anshul-garg27:anshullkgarg/fix-firewall-ip-validation

Conversation

@anshul-garg27
Copy link
Copy Markdown

@anshul-garg27 anshul-garg27 commented Mar 10, 2026

Summary

  • Add arithmetic range checks to IP/CIDR validation in .devcontainer/init-firewall.sh

Problem

The regex on lines 58 and 84 accepts values like 999.999.999.999/99 because it only validates digit count (1-3 digits per octet) without checking the actual numeric range. Values above 255 for octets or above 32 for prefix length are invalid.

Fix

After the regex match, use BASH_REMATCH capture groups with arithmetic comparison to verify:

  • Each octet is <= 255
  • CIDR prefix length is <= 32

Test plan

  • Verify bash syntax with bash -n init-firewall.sh
  • Valid IPs like 192.168.1.0/24 pass validation
  • Invalid IPs like 999.1.2.3/24 are rejected
  • Invalid CIDR like 1.2.3.4/33 is rejected

@anshul-garg27
fix: Validate IP octet ranges in firewall init script
d382e6c 
The IP/CIDR validation regex accepts values like 999.999.999.999/99
because it only checks digit count (1-3) without verifying octets
are <= 255 and prefix length is <= 32. Add arithmetic checks after
the regex match using BASH_REMATCH to reject invalid addresses.
@github-actions github-actions bot mentioned this pull request Mar 11, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anshul-garg27