Added additional validation for IP range format check

rapid7 · Jan 21, 2025 · b274e3e · b274e3e
1 parent cfaaa16
commit b274e3e
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/app/concerns/mdm/workspace/boundary_range.rb b/app/concerns/mdm/workspace/boundary_range.rb
@@ -54,6 +54,16 @@ def boundary_must_be_ip_range
           unless valid_ip_or_range?(range)
             errors.add(:boundary, "must be a valid IP range")
           end
+
+          if range.include?('-') && range.match?(/\A(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*-\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\z/)
+            start_ip, end_ip = range.split('-').map(&:strip)
+            if start_ip.split('.')[0..2] == end_ip.split('.')[0..2]
+              last_octet_end = end_ip.split('.').last
+              errors.add(:boundary, "'#{range}' should be in the format '#{start_ip}-#{last_octet_end}'")
+            else
+              errors.add(:boundary, "'#{range}' start and end IPs must be in the same subnet")
+            end
+          end
         end
       end
     end

diff --git a/spec/models/mdm/workspace_spec.rb b/spec/models/mdm/workspace_spec.rb
@@ -56,6 +56,36 @@
             expect(workspace.errors[:boundary]).to include(error)
           end
         end
+
+        context 'with invalid IP or range format' do
+          let(:boundary) do
+            '192.168.0.1-192.168.0.2'
+          end
+
+          let(:start_ip) do
+            '192.168.0.1'
+          end
+
+          let(:last_octet_end) do
+            '2'
+          end
+
+          it 'should record error that boundary must be a valid IP range and in the correct format' do
+            expect(workspace).not_to be_valid
+            expect(workspace.errors[:boundary]).to include("'#{boundary}' should be in the format '#{start_ip}-#{last_octet_end}'")
+          end
+        end
+
+        context 'with IPs from different subnets' do
+          let(:boundary) do
+            '192.168.0.1-192.169.0.2'
+          end
+
+          it 'should record error that boundary must be a valid IP range and in the same subnet' do
+            expect(workspace).not_to be_valid
+            expect(workspace.errors[:boundary]).to include("'#{boundary}' start and end IPs must be in the same subnet")
+          end
+        end
       end
 
       context 'when the workspace is not network limited' do