Reject non-ASCII hex digits in isValidInet6Address#403
Merged
Conversation
garydgregory
changed the title
garydgregory
added a commit
that referenced
this pull request
Jun 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
isValidInet6Address splits the address on ':' and hands each hex group straight to Integer.parseInt(octet, 16). That parser is more permissive than an IPv6 group should be: it delegates to Character.digit, which maps non-ASCII Unicode digits to 0-15, so a group written with fullwidth digits (U+FF10-FF19) or Arabic-Indic digits (U+0660-0669) parses cleanly and slips through the length and range checks. The result is that addresses such as the fullwidth "1234::" are reported as valid IPv6 addresses even though java.net.InetAddress and every real resolver reject them. The same gap is reachable through EmailValidator (bracketed IPv6 domain) and the UrlValidator authority, so a caller relying on this for a host allowlist can be fed a value that validates here but resolves elsewhere. The IPv4 path is unaffected because its regex \d only matches ASCII digits.
The existing guard already rejected a leading sign for the same reason (Integer.parseInt tolerating input that is not a real group). I have widened that single check into a per-character test that accepts only [0-9A-Fa-f], which covers the sign case and the non-ASCII digits in one place rather than enumerating each offending form. Keeping the check next to the parse means the rule stays where the value is actually consumed. Added regression tests alongside the existing signed-group cases.