[4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.

Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
author: Natalia <124304+nessita@users.noreply.github.com> 2025-01-06 15:51:45 -0300
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-01-14 09:08:01 -0300
commit: ad866a1ca3e7d60da888d25d27e46a8adb2ed36e (patch)
tree: 2286eacf7ac87b08c3255dc00513022fc9fcb687 /tests/utils_tests/test_ipv6.py
parent: b0d309c9eb802cbc652595e2d413bb451e37f124 (diff)
1 files changed, 37 insertions, 3 deletions
diff --git a/tests/utils_tests/test_ipv6.py b/tests/utils_tests/test_ipv6.py
index bf78ed91c0..2d06507fa1 100644
--- a/tests/utils_tests/test_ipv6.py
+++ b/tests/utils_tests/test_ipv6.py
@@ -1,9 +1,17 @@
-import unittest
+import traceback
+from io import StringIO
 
-from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address
+from django.core.exceptions import ValidationError
+from django.test import SimpleTestCase
+from django.utils.ipv6 import (
+    MAX_IPV6_ADDRESS_LENGTH,
+    clean_ipv6_address,
+    is_valid_ipv6_address,
+)
+from django.utils.version import PY310
 
 
-class TestUtilsIPv6(unittest.TestCase):
+class TestUtilsIPv6(SimpleTestCase):
     def test_validates_correct_plain_address(self):
         self.assertTrue(is_valid_ipv6_address("fe80::223:6cff:fe8a:2e8a"))
         self.assertTrue(is_valid_ipv6_address("2a02::223:6cff:fe8a:2e8a"))
@@ -64,3 +72,29 @@ class TestUtilsIPv6(unittest.TestCase):
         self.assertEqual(
             clean_ipv6_address("::ffff:18.52.18.52", unpack_ipv4=True), "18.52.18.52"
         )
+
+    def test_address_too_long(self):
+        addresses = [
+            "0000:0000:0000:0000:0000:ffff:192.168.100.228",  # IPv4-mapped IPv6 address
+            "0000:0000:0000:0000:0000:ffff:192.168.100.228%123456",  # % scope/zone
+            "fe80::223:6cff:fe8a:2e8a:1234:5678:00000",  # MAX_IPV6_ADDRESS_LENGTH + 1
+        ]
+        msg = "This is the error message."
+        value_error_msg = "Unable to convert %s to an IPv6 address (value too long)."
+        for addr in addresses:
+            with self.subTest(addr=addr):
+                self.assertGreater(len(addr), MAX_IPV6_ADDRESS_LENGTH)
+                self.assertEqual(is_valid_ipv6_address(addr), False)
+                with self.assertRaisesMessage(ValidationError, msg) as ctx:
+                    clean_ipv6_address(addr, error_message=msg)
+                exception_traceback = StringIO()
+                if PY310:
+                    traceback.print_exception(ctx.exception, file=exception_traceback)
+                else:
+                    traceback.print_exception(
+                        type(ctx.exception),
+                        value=ctx.exception,
+                        tb=ctx.exception.__traceback__,
+                        file=exception_traceback,
+                    )
+                self.assertIn(value_error_msg % addr, exception_traceback.getvalue())
author	Natalia <124304+nessita@users.noreply.github.com>	2025-01-06 15:51:45 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-01-14 09:08:01 -0300
commit	ad866a1ca3e7d60da888d25d27e46a8adb2ed36e (patch)
tree	2286eacf7ac87b08c3255dc00513022fc9fcb687 /tests/utils_tests/test_ipv6.py
parent	b0d309c9eb802cbc652595e2d413bb451e37f124 (diff)