From 0c9667d54352f4fd56c6b4783481888704160272 Mon Sep 17 00:00:00 2001
From: Thomas Flori <thflori@gmail.com>
Date: Thu, 21 Sep 2023 21:55:59 +0200
Subject: [PATCH] test IpHelper::isInRange

---
 .gitignore                          |  1 +
 app/Config.php                      |  3 ++
 app/Http/Request.php                |  6 +--
 app/Service/IpHelper.php            | 11 +++--
 tests/Unit/Service/IpHelperTest.php | 62 +++++++++++++++++++++++++++++
 5 files changed, 76 insertions(+), 7 deletions(-)
 create mode 100644 tests/Unit/Service/IpHelperTest.php

diff --git a/.gitignore b/.gitignore
index a8b5f43..7c31cd3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /vendor
 /.env
+.phpunit.result.cache
diff --git a/app/Config.php b/app/Config.php
index 82944d0..7a35722 100644
--- a/app/Config.php
+++ b/app/Config.php
@@ -9,9 +9,12 @@ class Config extends \Riki\Config
 {
     public $logLevel = Logger::WARNING;
 
+    public $trustedProxies = [];
+
     public function __construct(Environment $environment)
     {
         parent::__construct($environment);
         $this->logLevel = Logger::toMonologLevel($this->env('LOG_LEVEL', $this->logLevel));
+        $this->trustedProxies = (array)$this->env('TRUSTED_PROXIES', $this->trustedProxies);
     }
 }
diff --git a/app/Http/Request.php b/app/Http/Request.php
index a249392..2b192d2 100644
--- a/app/Http/Request.php
+++ b/app/Http/Request.php
@@ -80,7 +80,7 @@ class Request extends ServerRequest
     /**
      * Check if the proxy is a trusted proxy.
      *
-     * Returns whether or not the direct client ip ($_SERVER['REMOTE_ADDR']) matches against one of the defined proxies
+     * Returns whether the direct client ip ($_SERVER['REMOTE_ADDR']) matches against one of the defined proxies
      * in $config->trustedProxies.
      *
      * $config->trustedProxies is an array of ip addresses, address ranges or a partial reg ex pattern.
@@ -90,9 +90,7 @@ class Request extends ServerRequest
      * $config->trustedProxies = [
      *     '192.168.0.1', // ipv4 of our reverse proxy (only one proxy)
      *     '42.42.42.64/28', // ipv4 subnet (the proxy comes from this subnet)
-     *     '42.42.42.\d+', // ipv4 reg ex matching any ip from a /24 subnet
-     *     'fe80::/64', // link local ipv6 range
-     *     'fe80:(:|(0:)+)+[0-9a-f:]+', // unsure if this works - ipv6 reg ex patterns are terrible
+     *     'fe80::/64', //  local ipv6 range
      * ];
      *```
      *
diff --git a/app/Service/IpHelper.php b/app/Service/IpHelper.php
index 6c36fad..d2a4f31 100644
--- a/app/Service/IpHelper.php
+++ b/app/Service/IpHelper.php
@@ -11,7 +11,6 @@ class IpHelper
      * - an ip address (e.g. 192.168.0.1)
      * - an ipv4 range (e.g. 10.23.0.0/16)
      * - an ipv6 range (e.g. fe80::/64)
-     * - a regular expression (e.g. 192.168.0.\d+)
      *
      * @param string $ip
      * @param string $range
@@ -19,13 +18,19 @@ class IpHelper
      */
     public static function isInRange(string $ip, string $range): bool
     {
+        // if there is no range defined we use the first 128 bit
         if (strpos($range, '/') === false) {
-            return (bool)preg_match('/' . $range . '/', $ip);
+            $net = $range;
+            $maskbits = 128;
+        } else {
+            list($net, $maskbits) = explode('/', $range);
         }
 
-        list($net, $maskbits) = explode('/', $range);
         $binaryIp = self::iptToBits($ip);
         $binaryNet = self::iptToBits($net);
+        if (strlen($binaryIp) != strlen($binaryNet)) {
+            return false;
+        }
 
         $ipNetBits = substr($binaryIp, 0, $maskbits);
         $netBits   = substr($binaryNet, 0, $maskbits);
diff --git a/tests/Unit/Service/IpHelperTest.php b/tests/Unit/Service/IpHelperTest.php
new file mode 100644
index 0000000..6795e3b
--- /dev/null
+++ b/tests/Unit/Service/IpHelperTest.php
@@ -0,0 +1,62 @@
+<?php
+
+namespace Test\Unit\Service;
+
+use App\Service\IpHelper;
+use Test\TestCase;
+
+class IpHelperTest extends TestCase
+{
+    /** @test
+     * @dataProvider ipv4Ranges */
+    public function isInRangeWorksWithIpv4Ranges(string $ip, string $range, bool $result)
+    {
+        self::assertSame($result, IpHelper::isInRange($ip, $range));
+    }
+
+    public function ipv4Ranges(): array
+    {
+        return [
+            ['192.168.0.1', '192.168.0.0/24', true],
+            ['192.172.168.12', '192.172.168.0/28', true],
+            ['192.172.168.12', '192.172.168.0/29', false],
+            ['10.192.39.29', '10.0.0.0/8', true],
+            ['127.0.1.1', '127.0.0.1/32', false],
+        ];
+    }
+
+    /** @test
+     * @dataProvider ipv6Ranges */
+    public function isInRangeWorksWithIpv6Ranges(string $ip, string $range, bool $result)
+    {
+        self::assertSame($result, IpHelper::isInRange($ip, $range));
+    }
+
+    public function ipv6Ranges(): array
+    {
+        return [
+            ['fe80::1', 'fe80::/64', true],
+            ['::1', '::1/128', true],
+            ['fe80::1', '::1/128', false],
+        ];
+    }
+
+    /** @test */
+    public function isInRangeWorksWithSingleIpAddressesInIpv4()
+    {
+        self::assertTrue(IpHelper::isInRange('192.168.0.1', '192.168.0.1'));
+    }
+
+    /** @test */
+    public function isInRangeWorksWithSingleIpAddressesInIpv6()
+    {
+        self::assertTrue(IpHelper::isInRange('fe80::1', 'fe80:0:0:0:0:0:0:1'));
+    }
+
+    /** @test */
+    public function isInRangeDoesNotMatchIpsWithDifferentProtocolVersion()
+    {
+        self::assertFalse(IpHelper::isInRange('192.168.0.1', 'c0a8:1::'));
+        self::assertFalse(IpHelper::isInRange('192.168.0.1', 'c0a8:1::/32'));
+    }
+}
-- 
GitLab