fix: Fix critical CIDR range verification bug in verifyIPTrusted func by bmeng · Pull Request #787 · openshift/backplane-cli
…tion The verifyIPTrusted function had a critical security vulnerability where it only checked if the client IP exactly matched the network address of CIDR ranges, rather than checking if the IP falls within the CIDR range. Changes: - Replace parsedIP.Equal(ip) with network.Contains(ip) for proper CIDR validation - Improve error message to include the problematic CIDR string for better debugging - Add comprehensive test coverage with 7 new test cases covering: * Single host CIDR ranges (/32) * Large CIDR ranges (/8, /16, /24) * Boundary testing (start/end of ranges) * Negative cases (IPs outside ranges) * Invalid CIDR format handling * Mixed CIDR scenarios * IPv6 CIDR support Before: Only IPs that exactly matched the network address were trusted After: All IPs within the specified CIDR ranges are properly validated 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
openshift-ci
bot
added
the
approved
label
Sep 24, 2025
bmeng
deleted the
fix-ip-verification-logic
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters