Add validation for nat-addr (#5257)

Author: martinconic

pkg/node/export_test.go

@@ -0,0 +1,7 @@
+// Copyright 2025 The Swarm Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package node
+
+var ValidatePublicAddress = validatePublicAddress

pkg/node/node.go

@@ -20,6 +20,7 @@ import (
 	"net/http"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -222,6 +223,10 @@ func NewBee(
 		return nil, fmt.Errorf("tracer: %w", err)
 	}
 
+	if err := validatePublicAddress(o.NATAddr); err != nil {
+		return nil, fmt.Errorf("invalid NAT address %s: %w", o.NATAddr, err)
+	}
+
 	ctx, ctxCancel := context.WithCancel(ctx)
 	defer func() {
 		// if there's been an error on this function
@@ -1463,3 +1468,38 @@ func isChainEnabled(o *Options, swapEndpoint string, logger log.Logger) bool {
 	logger.Info("starting with an enabled chain backend")
 	return true // all other modes operate require chain enabled
 }
+
+func validatePublicAddress(addr string) error {
+	if addr == "" {
+		return nil
+	}
+
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return fmt.Errorf("%w", err)
+	}
+	if host == "" {
+		return errors.New("host is empty")
+	}
+	if port == "" {
+		return errors.New("port is empty")
+	}
+	if _, err := strconv.ParseUint(port, 10, 16); err != nil {
+		return fmt.Errorf("port is not a valid number: %w", err)
+	}
+	if host == "localhost" {
+		return errors.New("localhost is not a valid address")
+	}
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return errors.New("not a valid IP address")
+	}
+	if ip.IsLoopback() {
+		return errors.New("loopback address is not a valid address")
+	}
+	if ip.IsPrivate() {
+		return errors.New("private address is not a valid address")
+	}
+
+	return nil
+}

pkg/node/node_test.go

@@ -0,0 +1,99 @@
+// Copyright 2025 The Swarm Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package node_test
+
+import (
+	"testing"
+
+	"github.com/ethersphere/bee/v2/pkg/node"
+)
+
+func TestValidatePublicAddress(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name   string
+		addr   string
+		expErr bool
+	}{
+		{
+			name:   "empty host",
+			addr:   ":1635",
+			expErr: true,
+		},
+		{
+			name:   "localhost",
+			addr:   "localhost:1635",
+			expErr: true,
+		},
+		{
+			name:   "loopback",
+			addr:   "127.0.0.1:1635",
+			expErr: true,
+		},
+		{
+			name:   "loopback ipv6",
+			addr:   "[::1]:1635",
+			expErr: true,
+		},
+		{
+			name:   "missing port",
+			addr:   "1.2.3.4",
+			expErr: true,
+		},
+		{
+			name:   "empty port",
+			addr:   "1.2.3.4:",
+			expErr: true,
+		},
+		{
+			name:   "invalid port number",
+			addr:   "1.2.3.4:abc",
+			expErr: true,
+		},
+		{
+			name:   "valid",
+			addr:   "1.2.3.4:1635",
+			expErr: false,
+		},
+		{
+			name:   "valid ipv6",
+			addr:   "[2001:db8::1]:1635",
+			expErr: false,
+		},
+		{
+			name:   "empty",
+			addr:   "",
+			expErr: false,
+		},
+		{
+			name:   "invalid IP",
+			addr:   "not-an-ip:8080",
+			expErr: true,
+		},
+		{
+			name:   "private IP",
+			addr:   "192.168.1.1:8080",
+			expErr: true,
+		},
+		{
+			name:   "hostname",
+			addr:   "example.com:8080",
+			expErr: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := node.ValidatePublicAddress(tc.addr)
+			if tc.expErr && err == nil {
+				t.Fatal("expected error, but got none")
+			}
+			if !tc.expErr && err != nil {
+				t.Fatalf("expected no error, but got: %v", err)
+			}
+		})
+	}
+}