Inconsistency between IP whitelist validation, documentation, and unit tests #396
Description
Summary
I would like to point out an inconsistency regarding how CloudGoat validates the network whitelist. Currently, the implementation in utils.py and the test suite appear to contradict the official README.md and the CLI's own error message hints.
There is a conflict between the instructions provided to the user and the actual logic enforced by the code:
-
Documentation (
README.md): The documentation states:"The IP address you provide for whitelisting doesn't have to be in CIDR format, but CloudGoat will add a /32 to any naked IPs you provide."
-
CLI Error Message Hint: When an invalid IP is entered, the tool provides a hint that suggests naked IPs are acceptable:
"For example: 127.0.0.1"
-
Core Logic (
core/python/utils.py): Despite the above, the function ip_address_or_range_is_valid immediately rejects any input without a / character:if text.count("/") == 0: return False
-
Test Suite (
tests/core_tests.py): The unit tests currently assert this rejection as the expected behavior, which effectively "codifies" the discrepancy:self.assertEqual(ip_address_or_range_is_valid("127.0.0.1"), False)
This creates a confusing experience for users. If a user follows the README or the CLI's own suggestion by providing a naked IP (e.g., 1.1.1.1), the validator blocks it before the intended "auto-suffix" logic can ever be applied. This renders the documented auto-suffix feature non-functional for manual configurations and manual file edits.
It appears there is a mismatch between the project's design goals (as documented) and the current validation layer. Aligning these either by allowing naked IPs in the validator to support the auto-suffixing feature or by updating the documentation/error hints to require CIDR notation strictly would significantly improve the tool's consistency.
Note: My apologies if I’ve misinterpreted the project’s design or made any mistakes in this report. Thank you for maintaining this project!