feat(ip): add configurable IPv6 subnet for BFP and throttling

Altahrim · Altahrim · commit f647073d21cf · 2025-04-24T09:42:41.000+02:00
Signed-off-by: Benjamin Gaussorgues &lt;benjamin.gaussorgues@nextcloud.com&gt;
diff --git a/3rdparty b/3rdparty
@@ -1 +1 @@
-Subproject commit a37d5dc7da3d6457f14774ebed0a13db3c81f80f
+Subproject commit 059e167e17283046fd8557bf68495a458fd16313
diff --git a/config/config.sample.php b/config/config.sample.php
@@ -405,6 +405,16 @@
  */
 'ratelimit.protection.enabled' => true,
 
+/**
+ * Size of subnet used to normalize IPv6
+ *
+ * For Brute Force Protection and Rate Limiting, IPv6 are truncated using subnet size.
+ * It defaults to /56 but you can set it between /32 and /64
+ *
+ * Defaults to ``56``
+ */
+'security.ipv6_normalized_subnet_size' => 56,
+
 /**
  * By default, WebAuthn is available, but it can be explicitly disabled by admins
  */
diff --git a/lib/private/Security/Normalizer/IpAddress.php b/lib/private/Security/Normalizer/IpAddress.php
@@ -30,6 +30,8 @@
  */
 namespace OC\Security\Normalizer;
 
+use OCP\IConfig;
+
 /**
  * Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security
  * relevant contexts in Nextcloud.
@@ -46,7 +48,8 @@ public function __construct(
 	}
 
 	/**
-	 * Return the given subnet for an IPv6 address (48 first bits)
+	 * Return the given subnet for an IPv6 address
+	 * Rely on security.ipv6_normalized_subnet_size, defaults to 56
 	 */
 	private function getIPv6Subnet(string $ip): string {
 		if ($ip[0] === '[' && $ip[-1] === ']') { // If IP is with brackets, for example [::1]
@@ -57,10 +60,14 @@ private function getIPv6Subnet(string $ip): string {
 			$ip = substr($ip, 0, $pos - 1);
 		}
 
+		$config = \OCP\Server::get(IConfig::class);
+		$maskSize = min(64, $config->getSystemValueInt('security.ipv6_normalized_subnet_size', 56));
+		$maskSize = max(32, $maskSize);
+		$mask = pack('VVP', (1 << 32) - 1, (1 << $maskSize - 32) - 1, 0);
+
 		$binary = \inet_pton($ip);
-		$mask = inet_pton('FFFF:FFFF:FFFF::');
 
-		return inet_ntop($binary & $mask).'/48';
+		return inet_ntop($binary & $mask) . '/' . $maskSize;
 	}
 
 	/**
@@ -85,7 +92,7 @@ private function getEmbeddedIpv4(string $ipv6): ?string {
 
 
 	/**
-	 * Gets either the /32 (IPv4) or the /48 (IPv6) subnet of an IP address
+	 * Gets either the /32 (IPv4) or the /56 (default for IPv6) subnet of an IP address
 	 */
 	public function getSubnet(): string {
 		if (filter_var($this->ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
diff --git a/tests/lib/Security/Normalizer/IpAddressTest.php b/tests/lib/Security/Normalizer/IpAddressTest.php
@@ -52,19 +52,19 @@ public function subnetDataProvider() {
 			],
 			[
 				'2001:0db8:0000:0000:0000:8a2e:0370:7334',
-				'2001:db8::/48',
+				'2001:db8::/56',
 			],
 			[
 				'2001:db8:3333:4444:5555:6666:7777:8888',
-				'2001:db8:3333::/48',
+				'2001:db8:3333:4400::/56',
 			],
 			[
 				'::1234:5678',
-				'::/48',
+				'::/56',
 			],
 			[
 				'[::1]',
-				'::/48',
+				'::/56',
 			],
 		];
 	}

Original file line number	Diff line number	Diff line change
`@@ -52,19 +52,19 @@ public function subnetDataProvider() {`
`52`	`52`	`],`
`53`	`53`	`[`
`54`	`54`	`'2001:0db8:0000:0000:0000:8a2e:0370:7334',`
`55`		`- '2001:db8::/48',`
	`55`	`+ '2001:db8::/56',`
`56`	`56`	`],`
`57`	`57`	`[`
`58`	`58`	`'2001:db8:3333:4444:5555:6666:7777:8888',`
`59`		`- '2001:db8:3333::/48',`
	`59`	`+ '2001:db8:3333:4400::/56',`
`60`	`60`	`],`
`61`	`61`	`[`
`62`	`62`	`'::1234:5678',`
`63`		`- '::/48',`
	`63`	`+ '::/56',`
`64`	`64`	`],`
`65`	`65`	`[`
`66`	`66`	`'[::1]',`
`67`		`- '::/48',`
	`67`	`+ '::/56',`
`68`	`68`	`],`
`69`	`69`	`];`
`70`	`70`	`}`