Closed
Description
Describe the bug
Following the update to spring security 6.3.0 we were facing issues with the IpAddressMatcher in our validation steps due to the assertStartsWithHexa() method.
Before changing our implementation, we relied on the InetAddress resolution in parseAddress(..) in the same class.
The InetAddress resolution still happens if a host name is supplied instead of an IP address when it starts with a hex character. Relates to: c1adeef and #13621
To Reproduce
Use the matches() method with a host name that starts with a character valid in the hex system.
Expected behavior
IP Address format is enforced ?
Sample
[...]
var mask = List.of("0.0.0.0/8");
var matcher = new IpAddressMatcher(mask);
matcher.matches("example.org"); //does not throw an error
[...]