From 4724e1f0f530c7535d3aa95701f19408843a5f01 Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <perry.zjc@gmail.com>
Date: Mon, 15 May 2023 19:10:22 -0700
Subject: [PATCH 1/9] Add test cases for ipv4 adresses

---
 tests/plugins/ip_public_test.py | 53 +++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 tests/plugins/ip_public_test.py

diff --git a/tests/plugins/ip_public_test.py b/tests/plugins/ip_public_test.py
new file mode 100644
index 000000000..a52b05876
--- /dev/null
+++ b/tests/plugins/ip_public_test.py
@@ -0,0 +1,53 @@
+import pytest
+from detect_secrets.plugins.ip_public import IPPublicDetector
+
+
+class TestIPPublicDetector:
+
+    class TestIPv4:
+        """
+        Testing strategy
+
+        Cover the cartesian product of these partitions:
+
+          1. Partition on ip address format:
+              a. Valid ipv4 address
+
+          2. Partition on ip address type:
+              a. Public
+              b. Non-public
+
+        And cover this case:
+          1. Partition on ip address format:
+              a. Invalid ipv4 address
+        """
+
+        @pytest.mark.parametrize(
+            'payload, should_flag',
+            [
+                # Valid IPv4 addresses, Public
+                ('133.133.133.133', True),
+                ('This line has an IP address 133.133.133.133@something else', True),
+                ('133.133.133.133:8080', True),
+                ('This line has an IP address: 133.133.133.133:8080@something else', True),
+                ('1.1.1.1', True),
+                # Valid IPv4 addresses, Non-public
+                ('127.0.0.1', False),
+                ('10.0.0.1', False),
+                ('172.16.0.1', False),
+                ('192.168.0.1', False),
+                # Invalid IPv4 addresses
+                ('256.256.256.256', False),
+                ('1.2.3', False),
+                ('1.2.3.4.5.6', True),
+                ('1.2.3.4.5.6.7.8', "2"),
+                ('1.2.3.04', True),
+                ('noreply@github.com', False),
+                ('github.com', False)
+            ],
+        )
+        def test_analyze_line(self, payload, should_flag):
+            logic = IPPublicDetector()
+
+            output = logic.analyze_line(filename='mock_filename', line=payload)
+            assert len(output) == int(should_flag)

From 33ddcc6a9e096ceca992b09e948a8ea8252dc848 Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <perry.zjc@gmail.com>
Date: Mon, 15 May 2023 19:11:35 -0700
Subject: [PATCH 2/9] Add a plguin for public ip passing the tests

---
 detect_secrets/plugins/ip_public.py | 39 +++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 detect_secrets/plugins/ip_public.py

diff --git a/detect_secrets/plugins/ip_public.py b/detect_secrets/plugins/ip_public.py
new file mode 100644
index 000000000..d61faf3e7
--- /dev/null
+++ b/detect_secrets/plugins/ip_public.py
@@ -0,0 +1,39 @@
+import re
+from .base import RegexBasedDetector
+
+class IPPublicDetector(RegexBasedDetector):
+    """Scans for public ip address (ipv4)
+
+    Some non-public ipv4 addresses are ignored, such as:
+        - 127.
+        - 10.
+        - 172.(16-31)
+        - 192.168.
+
+    Reference: 
+    https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
+    https://en.wikipedia.org/wiki/Private_network
+    """
+    secret_type = 'Public IP (ipv4)'
+
+    denylist_ipv4_address = r"""
+        (?<![0-9])                    # Negative lookbehind: Asserts that what immediately precedes the current position in the string is not a digit
+        (?!                            # Negative lookahead: Asserts that what immediately follows the current position in the string does not match the enclosed pattern
+            192\.168\.|                # Match "192.168."
+            127\.|                     # Match "127."
+            10\.|                      # Match "10."
+            172\.(?:1[6-9]|2[0-9]|3[01])  # Match "172." followed by a number between 16 and 31
+        )
+        (?:                            # Non-capturing group: Groups the enclosed pattern but does not create a backreference
+            (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.   # Match a number between 0 and 255 followed by a dot
+        ){3}                           # Repeat the preceding non-capturing group three times
+        (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)         # Match a number between 0 and 255
+        (?::\d{1,5})?                   # Optional non-capturing group: Match a colon followed by a number between 0 and 99999 (a port number)
+        (?!                            # Negative lookahead: Asserts that what immediately follows the current position in the string does not match the enclosed pattern
+            [0-9]                       # Match a digit
+        )
+    """
+
+    denylist = [
+        re.compile(denylist_ipv4_address, flags=re.IGNORECASE | re.VERBOSE)
+    ]

From 1c895351248aa4b92a9749e43836269a0d574f28 Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <perry.zjc@gmail.com>
Date: Mon, 15 May 2023 19:18:15 -0700
Subject: [PATCH 3/9] Update documentation for new feature : IPPublic plguin

---
 CHANGELOG.md | 5 +++++
 README.md    | 1 +
 2 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2f2f363a0..fbdcdca04 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,11 @@ If you love `detect-secrets`, please star our project on GitHub to show your sup
 
 <!--
 ### Unreleased
+##### May 15th, 2023
+#### :tada: New Features
+- Added a detector for IPPublic (ipv4) ([#692])
+
+[#692]: https://github.com/Yelp/detect-secrets/pull/692
 -->
 
 ### v1.4.0
diff --git a/README.md b/README.md
index 03e7e36fb..5de8fce56 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,7 @@ Base64HighEntropyString
 HexHighEntropyString
 IbmCloudIamDetector
 IbmCosHmacDetector
+IPPublicDetector
 JwtTokenDetector
 KeywordDetector
 MailchimpDetector

From 0ff1ac4a80679247b3af1dacf19b8466f0e05f42 Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Thu, 16 Nov 2023 20:12:30 -0800
Subject: [PATCH 4/9] Fix double quoted strings

---
 tests/plugins/ip_public_test.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/plugins/ip_public_test.py b/tests/plugins/ip_public_test.py
index a52b05876..cfad9ec97 100644
--- a/tests/plugins/ip_public_test.py
+++ b/tests/plugins/ip_public_test.py
@@ -1,4 +1,5 @@
 import pytest
+
 from detect_secrets.plugins.ip_public import IPPublicDetector
 
 
@@ -40,10 +41,10 @@ class TestIPv4:
                 ('256.256.256.256', False),
                 ('1.2.3', False),
                 ('1.2.3.4.5.6', True),
-                ('1.2.3.4.5.6.7.8', "2"),
+                ('1.2.3.4.5.6.7.8', '2'),
                 ('1.2.3.04', True),
                 ('noreply@github.com', False),
-                ('github.com', False)
+                ('github.com', False),
             ],
         )
         def test_analyze_line(self, payload, should_flag):

From 244e3a8f2b248d05f2e0f6f34abf557c76fc2ddd Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Thu, 16 Nov 2023 20:13:25 -0800
Subject: [PATCH 5/9] Fix python code style

---
 detect_secrets/plugins/ip_public.py | 39 ++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 15 deletions(-)

diff --git a/detect_secrets/plugins/ip_public.py b/detect_secrets/plugins/ip_public.py
index d61faf3e7..941d2d2fd 100644
--- a/detect_secrets/plugins/ip_public.py
+++ b/detect_secrets/plugins/ip_public.py
@@ -1,6 +1,8 @@
 import re
+
 from .base import RegexBasedDetector
 
+
 class IPPublicDetector(RegexBasedDetector):
     """Scans for public ip address (ipv4)
 
@@ -10,30 +12,37 @@ class IPPublicDetector(RegexBasedDetector):
         - 172.(16-31)
         - 192.168.
 
-    Reference: 
+    Reference:
     https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
     https://en.wikipedia.org/wiki/Private_network
     """
     secret_type = 'Public IP (ipv4)'
 
     denylist_ipv4_address = r"""
-        (?<![0-9])                    # Negative lookbehind: Asserts that what immediately precedes the current position in the string is not a digit
-        (?!                            # Negative lookahead: Asserts that what immediately follows the current position in the string does not match the enclosed pattern
-            192\.168\.|                # Match "192.168."
-            127\.|                     # Match "127."
-            10\.|                      # Match "10."
-            172\.(?:1[6-9]|2[0-9]|3[01])  # Match "172." followed by a number between 16 and 31
+        # Negative lookbehind: Checks if preceding character is not a digit
+        (?<![0-9])
+        # Negative lookahead: Checks if following pattern doesn't match
+        (?!
+            # Matches "192.168.", "127.", "10.", or "172." with specific ranges
+            192\.168\.|
+            127\.|
+            10\.|
+            172\.(?:1[6-9]|2[0-9]|3[01])
         )
-        (?:                            # Non-capturing group: Groups the enclosed pattern but does not create a backreference
-            (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.   # Match a number between 0 and 255 followed by a dot
-        ){3}                           # Repeat the preceding non-capturing group three times
-        (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)         # Match a number between 0 and 255
-        (?::\d{1,5})?                   # Optional non-capturing group: Match a colon followed by a number between 0 and 99999 (a port number)
-        (?!                            # Negative lookahead: Asserts that what immediately follows the current position in the string does not match the enclosed pattern
-            [0-9]                       # Match a digit
+        # Non-capturing group for numbers 0-255 followed by a dot
+        (?:
+            (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.
+        ){3}
+        # Matches final number in an IP address (0-255)
+        (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
+        # Optional group for port number (0-99999)
+        (?::\d{1,5})?
+        # Negative lookahead: Ensures next character isn't a digit
+        (?!
+            [0-9]
         )
     """
 
     denylist = [
-        re.compile(denylist_ipv4_address, flags=re.IGNORECASE | re.VERBOSE)
+        re.compile(denylist_ipv4_address, flags=re.IGNORECASE | re.VERBOSE),
     ]

From cc56cac9700fc2af5bdf036b90b27a4921081ecb Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Sat, 18 Nov 2023 18:25:12 -0800
Subject: [PATCH 6/9] Update test case to unflag invalid ipv4

---
 tests/plugins/ip_public_test.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/plugins/ip_public_test.py b/tests/plugins/ip_public_test.py
index cfad9ec97..0639e1235 100644
--- a/tests/plugins/ip_public_test.py
+++ b/tests/plugins/ip_public_test.py
@@ -40,8 +40,8 @@ class TestIPv4:
                 # Invalid IPv4 addresses
                 ('256.256.256.256', False),
                 ('1.2.3', False),
-                ('1.2.3.4.5.6', True),
-                ('1.2.3.4.5.6.7.8', '2'),
+                ('1.2.3.4.5.6', False),
+                ('1.2.3.4.5.6.7.8', False),
                 ('1.2.3.04', True),
                 ('noreply@github.com', False),
                 ('github.com', False),

From 62c0dd53527c293a2a856f707b3473e4285e7187 Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Sat, 18 Nov 2023 18:25:46 -0800
Subject: [PATCH 7/9] Update regex to pass updated  test

---
 detect_secrets/plugins/ip_public.py | 35 ++++++++++++-----------------
 1 file changed, 14 insertions(+), 21 deletions(-)

diff --git a/detect_secrets/plugins/ip_public.py b/detect_secrets/plugins/ip_public.py
index 941d2d2fd..91e0b88e1 100644
--- a/detect_secrets/plugins/ip_public.py
+++ b/detect_secrets/plugins/ip_public.py
@@ -19,28 +19,21 @@ class IPPublicDetector(RegexBasedDetector):
     secret_type = 'Public IP (ipv4)'
 
     denylist_ipv4_address = r"""
-        # Negative lookbehind: Checks if preceding character is not a digit
-        (?<![0-9])
-        # Negative lookahead: Checks if following pattern doesn't match
-        (?!
-            # Matches "192.168.", "127.", "10.", or "172." with specific ranges
-            192\.168\.|
-            127\.|
-            10\.|
-            172\.(?:1[6-9]|2[0-9]|3[01])
-        )
-        # Non-capturing group for numbers 0-255 followed by a dot
-        (?:
-            (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.
-        ){3}
-        # Matches final number in an IP address (0-255)
-        (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
-        # Optional group for port number (0-99999)
-        (?::\d{1,5})?
-        # Negative lookahead: Ensures next character isn't a digit
-        (?!
-            [0-9]
+        (?<!\.)         # Negative lookbehind: Ensures no preceding dot
+        \b              # Word boundary: Start of a word
+        (?!             # Negative lookahead: Ensures the following pattern doesn't match
+            192\.168\.  # Exclude "192.168."
+            |127\.      # Exclude "127."
+            |10\.       # Exclude "10."
+            |172\.(?:1[6-9]|2[0-9]|3[01]) # Exclude "172." with specific ranges
         )
+        (?:             # Non-capturing group for octets
+            (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. # Match numbers 0-255 followed by dot
+        ){3}            # Repeat for three octets
+        (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) # Match final octet (0-255)
+        (?::\d{1,5})?   # Optional non-capturing group for port number (0-99999)
+        \b              # Word boundary: End of a word
+        (?!\.)          # Negative lookahead: Ensures no following dot
     """
 
     denylist = [

From 8341fba0b9be8fd67dcf926726d4f7eddd7f0086 Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Mon, 20 Nov 2023 21:58:12 -0800
Subject: [PATCH 8/9] Adjust test case to return false for invalid ipv4

---
 tests/plugins/ip_public_test.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/plugins/ip_public_test.py b/tests/plugins/ip_public_test.py
index 0639e1235..5480f093b 100644
--- a/tests/plugins/ip_public_test.py
+++ b/tests/plugins/ip_public_test.py
@@ -42,7 +42,7 @@ class TestIPv4:
                 ('1.2.3', False),
                 ('1.2.3.4.5.6', False),
                 ('1.2.3.4.5.6.7.8', False),
-                ('1.2.3.04', True),
+                ('1.2.3.04', False),
                 ('noreply@github.com', False),
                 ('github.com', False),
             ],

From 5fc4ed6a63d8b64cfa872f467be39945f7eaa9ca Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Mon, 20 Nov 2023 23:09:18 -0800
Subject: [PATCH 9/9] Adjust regex to pass new test

---
 detect_secrets/plugins/ip_public.py | 34 ++++++++++++++++-------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/detect_secrets/plugins/ip_public.py b/detect_secrets/plugins/ip_public.py
index 91e0b88e1..287ea9f39 100644
--- a/detect_secrets/plugins/ip_public.py
+++ b/detect_secrets/plugins/ip_public.py
@@ -19,21 +19,25 @@ class IPPublicDetector(RegexBasedDetector):
     secret_type = 'Public IP (ipv4)'
 
     denylist_ipv4_address = r"""
-        (?<!\.)         # Negative lookbehind: Ensures no preceding dot
-        \b              # Word boundary: Start of a word
-        (?!             # Negative lookahead: Ensures the following pattern doesn't match
-            192\.168\.  # Exclude "192.168."
-            |127\.      # Exclude "127."
-            |10\.       # Exclude "10."
-            |172\.(?:1[6-9]|2[0-9]|3[01]) # Exclude "172." with specific ranges
-        )
-        (?:             # Non-capturing group for octets
-            (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. # Match numbers 0-255 followed by dot
-        ){3}            # Repeat for three octets
-        (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) # Match final octet (0-255)
-        (?::\d{1,5})?   # Optional non-capturing group for port number (0-99999)
-        \b              # Word boundary: End of a word
-        (?!\.)          # Negative lookahead: Ensures no following dot
+        (?<![\w.])         # Negative lookbehind: Ensures no preceding word character or dot
+        (                  # Start of the main capturing group
+            (?!            # Negative lookahead: Ensures the following pattern doesn't match
+                192\.168\. # Exclude "192.168."
+                |127\.     # Exclude "127."
+                |10\.      # Exclude "10."
+                |172\.(?:1[6-9]|2[0-9]|3[01])   # Exclude "172." with specific ranges
+            )
+            (?:            # Non-capturing group for octets
+                           # Match numbers 0-255 followed by dot, properly handle leading zeros
+                (?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\.
+            ){3}           # Repeat for three octets
+                           # Match final octet (0-255), properly handle leading zeros
+            (?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])
+            (?:            # Optional non-capturing group for port number
+                :\d{1,5}   # Match colon followed by 1 to 5 digits
+            )?
+        )                  # End of the main capturing group
+        (?![\w.])          # Negative lookahead: Ensures no following word character or dot
     """
 
     denylist = [