-
-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipv6 validation allows invalid ipv6 addresses #206
Comments
Fastify's code seems to be quite long. What if we use a mix of regex and JS code? The regex checks the basic structure and the JS code checks the details. This is what I found on Medium: https://medium.com/@stheodorejohn/validating-ipv4-and-ipv6-addresses-with-ease-unveiling-the-power-of-validation-in-javascript-2af04ee065c5 |
The Medium approach sounds good to me. Do you plan to make the change? As alternative, https://github.com/colinhacks/zod/pull/2849/files also switched to a new ipv6 checking approach, maybe worth comparing the two (bundle size vs runtime perf) |
Yes, I plan to improve that in the long run. However, I will not have the time in the next few weeks for it. |
I believe the IPV6_CIDR_REGEX added in #367 could be modified and replace the current IPV6_REGEX, as it seems to be more correct. fe80::3:bEFf:5b:%3NG/24 for example is flagged as invalid. Down the line, we could investigate a faster solution, but for the scope of this issue I think this would be sufficient. Perhaps we can add a warning to the docblock + docs about execution time. |
Thank you for the tip. Currently my focus is on other areas of the library but I will get back to this in the long run. |
The current regexp used for checking ipv6 in valibot might not be correct, as it allows, e.g.:
fe80::3:bEFf:5b:%3NG
which is not valid.valibot/library/src/validations/ipv6/ipv6.ts
Line 13 in 982045e
As per garycourt/uri-js#40 (comment), it looks like other regexps can not be used to fully make sure an ipv6 address is valid and the regexp used in uri-js seems quite expensive (although the issue is from 2019, so it might have changed nowadays).
In any case, the Fastify team is now using a different approach to parse ipv6 addresses: fastify/fast-uri@main/lib/utils.js#L27 (the mentioned "read buffer" approach is used there).
The buffer code is faster, but also increases bundle size a lot more compared to the regex. What do we prefer?
The text was updated successfully, but these errors were encountered: