Fix IPAddr#private?, #link_local? and #loopback? incorrectly matching public IPv6 addresses as IPv4-mapped#106
Merged
taketo1113 merged 1 commit intoruby:masterfrom Apr 23, 2026
Conversation
…blic IPv6 as IPv4-mapped
Collaborator
|
+1 I verified that I also confirmed the behavior introduced by this change. IPAddr.new("2001:718:1404:c8:0:ffff:ac19:c80e").private? #=> false (as expected)
IPAddr.new("::ffff:ac19:c80e").to_s #=> "::ffff:172.25.200.14"
IPAddr.new("::ffff:ac19:c80e").private? #=> true
IPAddr.new("2001:718:1404:c8:0:ffff:a9fe:101").link_local? #=> false (as expected)
IPAddr.new("::ffff:a9fe:101").to_s #=> "::ffff:169.254.1.1"
IPAddr.new("::ffff:a9fe:101").link_local? #=> true
IPAddr.new("2001:718:1404:c8:0:ffff:7f00:1").loopback? #=> false (as expected)
IPAddr.new("::ffff:7f00:1").to_s #=> "::ffff:127.0.0.1"
IPAddr.new("::ffff:7f00:1").loopback? #=> true |
Collaborator
|
@jarthod Thank you for your contribution. It's a good catch. |
Contributor
Author
|
Awesome, thank you 🥳 |
Collaborator
|
@jarthod I have released ipaddr v1.2.9. Please give it a try. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
IPAddr#private?,#loopback?, and#link_local?all use this pattern to detect whether an IPv6 address is an IPv4-mapped private/loopback/link-local address:This mask only tests bits 32–47 of the 128-bit address. It does not verify that the upper 80 bits are zero, which is required for a true IPv4-mapped address (
::ffff:x.x.x.x=0000:0000:0000:0000:0000:ffff:x:x).Any native IPv6 global unicast address that has
0xffffin its 5th 16-bit group will incorrectly match. For example:These are legitimate globally routable addresses.
ipv4_mapped?correctly returnsfalsefor all of them (it's implementation is more precise)Fix
Replace the loose mask with a right-shift that validates all 96 upper bits at once, exactly the same test that
ipv4_mapped?is doing:@addr >> 32 == 0xffffrequires the upper 96 bits to equal0x0000_0000_0000_0000_0000_ffff, which is the precise definition of the IPv4-mapped prefix.Real-world impact
This issue was brought to my attention by a savvy user of my service whose monitored site has AAAA record
2001:718:1404:c8:0:ffff:ac19:c80e(a perfectly valid and working global unicast IPv6). My SSRF protection, which relied onIPAddr#private?, started incorrectly rejecting it as a private address.Do not hesitate if you need any other tweaks, tests or explanation.
Thanks !