Uri.parseIPv4Address accepts IPv4 addresses with arbitrary number of leading zeroes while InternetAddress.tryParse does not.

[elliotwutingfeng]

import 'dart:io';

void main() {
  const String normalIp = '123.1.1.1';
  print(Uri.parseIPv4Address(normalIp));
  print(InternetAddress.tryParse(normalIp));
  // Output
  // [123, 1, 1, 1]
  // InternetAddress('123.1.1.1', IPv4)

  final String lotsOfLeadingZeroesIp = '${'0' * 10_000_000}123.1.1.1';
  print(Uri.parseIPv4Address(lotsOfLeadingZeroesIp));
  print(InternetAddress.tryParse(lotsOfLeadingZeroesIp));
  // Output
  // [123, 1, 1, 1]
  // null
}

Passing a IPv4 string with a large number of leading zeroes in any of the octets to Uri.parseIPv4Address would lead to long parsing time and high memory usage. This may be a security concern. Uri.parseIPv6Address is also affected (for the trailing IPv4 part of the IPv6 address).

InternetAddress.tryParse however rejects leading zeroes and is not affected.

Should Uri.parseIPv4Address be changed to match the behavior of InternetAddress.tryParse? It may affect users who use it to parse IPv4 addresses in octal form.

Tested on Dart 3.9.0 (stable) on "linux_x64"

[lrhn]

So we have two parsers. That seems redundant. The one in Uri is for URIs and should follow the appropriate spec, and the one in InternetAddress may follow a different spec, so it might make sense to have two.

Except ... the spec followed by the Dart Uri class is RFC 3986, and it does not allow leading zeros in IPv4address:

     IPv4address = dec-octet "." dec-octet "." dec-octet "." dec-octet

     dec-octet   = DIGIT                 ; 0-9
                 / %x31-39 DIGIT         ; 10-99
                 / "1" 2DIGIT            ; 100-199
                 / "2" %x30-34 DIGIT     ; 200-249
                 / "25" %x30-35          ; 250-255

It's a breaking change to fix it, but hopefully not something many people depend on. It was never a valid RFC 3986 URI.

The WhatWG URL spec also don't allow leading zeros:

four shortest possible strings of ASCII digits, representing a decimal number in the range 0 to 255

So it wouldn't work anywhere else.

[elliotwutingfeng]

InternetAddress is part of the dart:io library too, which is not available for web apps, so the only option for web apps is Uri.

[elliotwutingfeng]

I've opened a merge request to patch this. This would however, be a breaking change for users who need to parse IPv4 addresses with leading zeros.

[lrhn]

I looked at the existing code, and it's somewhat inefficient (fx it creates substrings to pass to int.parse).
I've rewritten it and parseIPv6Address to avoid extra allocations and most unnecessary copying
(https://dart-review.googlesource.com/c/sdk/+/447260).

[elliotwutingfeng]

@lrhn I would like to point out that this patch has also fixed the following bug:

Uri.parseIPv6Address('2001:adb8:d8b4::193c:a5e7:8b2f:46d1');

used to erroneously throw the following exception

FormatException: Illegal IPv6 address, an address with a wildcard must have less than 7 parts