Skip to content

Comments

Add InetAddressMatcher#18634

Merged
rwinch merged 1 commit intospring-projects:mainfrom
rwinch:google-ssrf
Feb 19, 2026
Merged

Add InetAddressMatcher#18634
rwinch merged 1 commit intospring-projects:mainfrom
rwinch:google-ssrf

Conversation

@rwinch
Copy link
Member

@rwinch rwinch commented Feb 2, 2026
edited
Loading

Extracts logic for matching InetAddress from the HttpServletRequest. This allows for general reuse of the API. In particular:

  • IpInetAddressMatcher now delegates to InetAddressMatcher
  • IpAddressServerWebExchangeMatcher now delegates to InetAddressMatcher

Closes gh-18498

@rwinch rwinch force-pushed the google-ssrf branch 2 times, most recently from a405f06 to d82601f Compare February 2, 2026 22:19
@rwinch rwinch changed the title Merge InetAddressMatcher Add InetAddressMatcher Feb 2, 2026
@rwinch rwinch requested a review from rstoyanchev February 3, 2026 01:20
@rwinch rwinch self-assigned this Feb 3, 2026
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Feb 3, 2026
rstoyanchev
rstoyanchev suggested changes Feb 3, 2026
View reviewed changes
Copy link
Contributor

@rstoyanchev rstoyanchev left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, but I did leave a couple of comments and suggestions.

I think the main contract is a good place to provide context and background from a high level perspective, something along the lines of the description of #18498 especially since this is all just a foundational, building block.

@rwinch
Copy link
Member Author

rwinch commented Feb 3, 2026

Looks great, but I did leave a couple of comments and suggestions.

Thanks I've responded inline and posted updates where I think that it makes sense.

I think the main contract is a good place to provide context and background from a high level perspective, something along the lines of the description of #18498 especially since this is all just a foundational, building block.

I'm going to avoid documenting anything other than what the API does. It is a general purpose IP address matching API that is used by Spring Security to map server side authorization logic. It can be used by users to do anything that involves matching an IP address (e.g. client side firewall rules -- perhaps to prevent SSRF, MFA logic, etc).

KJ202
KJ202 reviewed Feb 3, 2026
View reviewed changes
web/src/main/java/org/springframework/security/web/util/matcher/InetAddressMatchers.java Outdated
if (address == null) {
return false;
}
if (address.isLoopbackAddress()) {
Copy link
Contributor

@KJ202 KJ202 Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do "(address.isLoopbackAddress() || address.isLinkLocalAddress())" instead?

This would include link-local addresses (such as 169.254.169.254) that are commonly targeted for SSRF attacks.

@KJ202
Copy link
Contributor

KJ202 commented Feb 3, 2026
edited
Loading

I'd suggest using isSiteLocalAddress() which might be more robust. The current manual check for the 172 range only looks for 172.16, missing IPs from 172.17 through 172.31. The built-in method handles the bitmask correctly and keeps the logic much simpler.

I'm also a bit concerned about the usage IPv4-Mapped IPv6 addresses as a bypass. Standard methods should handle this inherently.

KJ202
KJ202 reviewed Feb 3, 2026
View reviewed changes
web/src/main/java/org/springframework/security/web/util/matcher/InetAddressParser.java
|| Character.digit(ipAddress.charAt(0), 16) != -1
&& ipAddress.indexOf(':') > 0;
// @formatter:on
}
Copy link
Contributor

@KJ202 KJ202 Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we defensively check whether the IP address to avoid throwing an exception? (e.g if (!StringUtils.hasText(ipAddress)) { return false; })

KJ202 added a commit to KJ202/spring-security that referenced this pull request Feb 17, 2026
@KJ202
Refactor IP address matching to address PR spring-projects#18634 feed…
2735507 
…back

- Use `isLinkLocalAddress()` to correctly identify link-local addresses (e.g., 169.254.x.x) as internal.
- Use `isSiteLocalAddress()` to correctly match the entire 172.16.0.0/12 subnet and rely on standard JVM checks for IPv4-mapped IPv6 addresses.
- Retain custom matching for Unique Local Addresses (fc00::/7) due to JVM limitations with RFC 4193.
- Add defensive blank string checking in `InetAddressParser.isIpAddress()`.
@KJ202 KJ202 mentioned this pull request Feb 17, 2026
Open
@rwinch rwinch added this to the 7.1.0-M3 milestone Feb 19, 2026
@rwinch rwinch enabled auto-merge (rebase) February 19, 2026 17:21
@rwinch rwinch disabled auto-merge February 19, 2026 17:24
@rwinch rwinch enabled auto-merge (rebase) February 19, 2026 17:28
@rwinch @vasporig
@KJ202 @rstoyanchev
Add InetAddressMatcher
d693ad9 
Co-authored-by: Gábor Vaspöri <gabor.vaspori@gmail.com>
Co-authored-by: Kian Jamali <kianjamali123@gmail.com>
Co-authored-by: Rossen Stoyanchev <rstoyanchev@users.noreply.github.com>
@rwinch rwinch merged commit cc6a005 into spring-projects:main Feb 19, 2026
7 checks passed
@rwinch rwinch mentioned this pull request Feb 19, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@KJ202 KJ202 KJ202 left review comments

@rstoyanchev rstoyanchev rstoyanchev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rwinch rwinch

Labels

in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Projects

None yet

Milestone

7.1.0-M3

Development

Successfully merging this pull request may close these issues.

Add InetAddress filtering for client side SSRF protection

3 participants

@rwinch @KJ202 @rstoyanchev