Skip to content

Add InetAddressMatcher #18634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rwinch wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add InetAddressMatcher #18634

rwinch wants to merge 6 commits into from
+1,316 −89

Conversation

@rwinch
Copy link
Member

@rwinch rwinch commented Feb 2, 2026

No description provided.

@rwinch @vasporig
@KJ202 @rstoyanchev
Add InetAddressMatcher
d82601f 
Co-authored-by: Gábor Vaspöri <[email protected]>
Co-authored-by: Kian Jamali <[email protected]>
Co-authored-by: Rossen Stoyanchev <[email protected]>
@rwinch rwinch changed the title Merge InetAddressMatcher Add InetAddressMatcher Feb 2, 2026
@rwinch rwinch requested a review from rstoyanchev February 3, 2026 01:20
@rwinch rwinch self-assigned this Feb 3, 2026
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Feb 3, 2026
rstoyanchev
rstoyanchev suggested changes Feb 3, 2026
View reviewed changes
Copy link
Contributor

@rstoyanchev rstoyanchev left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, but I did leave a couple of comments and suggestions.

I think the main contract is a good place to provide context and background from a high level perspective, something along the lines of the description of #18498 especially since this is all just a foundational, building block.

rwinch added 4 commits February 3, 2026 08:37
@rwinch
Use consistent match terminology
7d614ac 
Previously the terminology blurred allow/deny into the matching APIs
which was confusing. The API now consistently uses matching logic.
@rwinch
Remove unnecessary since tag
59984df
@rwinch
IpInetAddressMatcher Should Use Authors from IpAddressMatcher
46120d2
@rwinch
Update InetAddressMatcher.matches(InetAddress) to allow null
d85df0c 
This is more consistent with the matches(String) method and it allows APIs
like ServerHttpRequest.getRemoteAddress() to be passed in without needing
to check if the value is null.
@rwinch
Copy link
Member Author

rwinch commented Feb 3, 2026

Looks great, but I did leave a couple of comments and suggestions.

Thanks I've responded inline and posted updates where I think that it makes sense.

I think the main contract is a good place to provide context and background from a high level perspective, something along the lines of the description of #18498 especially since this is all just a foundational, building block.

I'm going to avoid documenting anything other than what the API does. It is a general purpose IP address matching API that is used by Spring Security to map server side authorization logic. It can be used by users to do anything that involves matching an IP address (e.g. client side firewall rules -- perhaps to prevent SSRF, MFA logic, etc).

@rwinch
IpAddressServerWebExchangeMatcher uses InetAddressMatcher
6510838 
IpAddressServerWebExchangeMatcher was used for WebFlux applications which
used IpAddressMatcher. This was likely problematic because IpAddressMatcher
contains servlet APIs in it's method signatures. Even if those specific
methods aren't used by IpAddressServerWebExchangeMatcher it can cause
classpath issues for webflux applications.

This commit switches to using InetAddressMatcher which does not contain
any dependencies on the ServletAPI
KJ202
KJ202 reviewed Feb 3, 2026
View reviewed changes
web/src/main/java/org/springframework/security/web/util/matcher/InetAddressMatchers.java
if (address == null) {
return false;
}
if (address.isLoopbackAddress()) {
Copy link

@KJ202 KJ202 Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do "(address.isLoopbackAddress() || address.isLinkLocalAddress())" instead?

This would include link-local addresses (such as 169.254.169.254) that are commonly targeted for SSRF attacks.

@KJ202
Copy link

KJ202 commented Feb 3, 2026
edited
Loading

I'd suggest using isSiteLocalAddress() which might be more robust. The current manual check for the 172 range only looks for 172.16, missing IPs from 172.17 through 172.31. The built-in method handles the bitmask correctly and keeps the logic much simpler.

I'm also a bit concerned about the usage IPv4-Mapped IPv6 addresses as a bypass. Standard methods should handle this inherently.

KJ202
KJ202 reviewed Feb 3, 2026
View reviewed changes
web/src/main/java/org/springframework/security/web/util/matcher/InetAddressParser.java
|| Character.digit(ipAddress.charAt(0), 16) != -1
&& ipAddress.indexOf(':') > 0;
// @formatter:on
}
Copy link

@KJ202 KJ202 Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we defensively check whether the IP address to avoid throwing an exception? (e.g if (!StringUtils.hasText(ipAddress)) { return false; })

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@KJ202 KJ202 KJ202 left review comments

@rstoyanchev rstoyanchev rstoyanchev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rwinch rwinch

Labels

in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rwinch @KJ202 @rstoyanchev