From 7ca5f36d92de1d20091dae34ad1605a56600e5fd Mon Sep 17 00:00:00 2001
From: Karen Etheridge <ether@cpan.org>
Date: Mon, 29 Mar 2021 15:41:05 -0700
Subject: [PATCH] reject ipv4 strings with an octet with a leading zero

Ensuring implementations reject these values will help guard against this
security vulnerability.
see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/
---
 tests/draft2019-09/optional/format/ipv4.json | 11 +++++++++++
 tests/draft2020-12/optional/format/ipv4.json | 11 +++++++++++
 tests/draft4/optional/format/ipv4.json       | 11 +++++++++++
 tests/draft6/optional/format/ipv4.json       | 11 +++++++++++
 tests/draft7/optional/format/ipv4.json       | 11 +++++++++++
 5 files changed, 55 insertions(+)

diff --git a/tests/draft2019-09/optional/format/ipv4.json b/tests/draft2019-09/optional/format/ipv4.json
index 8b99b9fb..e36a3816 100644
--- a/tests/draft2019-09/optional/format/ipv4.json
+++ b/tests/draft2019-09/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }
diff --git a/tests/draft2020-12/optional/format/ipv4.json b/tests/draft2020-12/optional/format/ipv4.json
index 8b99b9fb..e36a3816 100644
--- a/tests/draft2020-12/optional/format/ipv4.json
+++ b/tests/draft2020-12/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }
diff --git a/tests/draft4/optional/format/ipv4.json b/tests/draft4/optional/format/ipv4.json
index 8b99b9fb..e36a3816 100644
--- a/tests/draft4/optional/format/ipv4.json
+++ b/tests/draft4/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }
diff --git a/tests/draft6/optional/format/ipv4.json b/tests/draft6/optional/format/ipv4.json
index 8b99b9fb..e36a3816 100644
--- a/tests/draft6/optional/format/ipv4.json
+++ b/tests/draft6/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }
diff --git a/tests/draft7/optional/format/ipv4.json b/tests/draft7/optional/format/ipv4.json
index 8b99b9fb..e36a3816 100644
--- a/tests/draft7/optional/format/ipv4.json
+++ b/tests/draft7/optional/format/ipv4.json
@@ -32,6 +32,17 @@
                 "description": "an IP address as an integer (decimal)",
                 "data": "2130706433",
                 "valid": false
+            },
+            {
+                "description": "leading zeroes should be rejected, as they are treated as octals",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "data": "087.10.0.1",
+                "valid": false
+            },
+            {
+                "description": "value without leading zero is valid",
+                "data": "87.10.0.1",
+                "valid": true
             }
         ]
     }