fix: align ipv4 tests strictly to RFC 2673 and move strict CVE checks to URI format

AcEKaycgR · AcEKaycgR · commit bb3e67bf6ab4 · 2026-02-21T08:21:15.000+05:30
diff --git a/tests/draft2020-12/optional/format/ipv4.json b/tests/draft2020-12/optional/format/ipv4.json
@@ -67,10 +67,10 @@
                 "valid": false
             },
             {
-                "description": "invalid leading zeroes, as they are treated as octals",
-                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/",
+                "description": "leading zeroes are valid per RFC 2673 (despite CVE-2021-28918 octal risks)",
+                "comment": "see https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/ - NOTE: strict anti-octal rules belong in URI formats for Draft 2020-12, but will be integrated into ipv4 in the v1 spec.",
                 "data": "087.10.0.1",
-                "valid": false
+                "valid": true
             },
             {
                 "description": "value without leading zero is valid",
@@ -88,122 +88,122 @@
                 "valid": false
             },
             {
-                "description": "leading zero in last octet (Strict ABNF Compliance)",
-                "comment": "RFC 3986, Section 3.2.2 strict bounds applied over RFC 2673 to prevent octal vulnerabilities. dec-octet = DIGIT / %d49-57 DIGIT / '1' 2DIGIT / '2' %d48-52 DIGIT / '25' %d48-53",
+                "description": "leading zero is valid under RFC 2673 loose syntax",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte (where decbyte = 1*3DIGIT). NOTE: Planned for update in v1 spec to enforce strict anti-octal rules.",
                 "data": "192.168.0.01",
-                "valid": false
+                "valid": true
             },
             {
                 "description": "leading whitespace is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte",
                 "data": " 192.168.0.1",
                 "valid": false
             },
             {
                 "description": "trailing whitespace is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte",
                 "data": "192.168.0.1 ",
                 "valid": false
             },
             {
                 "description": "trailing newline is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte",
                 "data": "192.168.0.1\n",
                 "valid": false
             },
             {
                 "description": "hexadecimal notation is invalid",
-                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %d49-57 DIGIT / '1' 2DIGIT / '2' %d48-52 DIGIT / '25' %d48-53",
+                "comment": "RFC 2673, Section 3.2: decbyte = 1*3DIGIT (requires DIGIT, forbids alpha/hex)",
                 "data": "0x7f.0.0.1",
                 "valid": false
             },
             {
                 "description": "octal notation explicit is invalid",
-                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %d49-57 DIGIT / '1' 2DIGIT / '2' %d48-52 DIGIT / '25' %d48-53",
+                "comment": "RFC 2673, Section 3.2: decbyte = 1*3DIGIT (requires DIGIT, forbids alpha)",
                 "data": "0o10.0.0.1",
                 "valid": false
             },
             {
                 "description": "empty part (double dot) is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte",
                 "data": "192.168..1",
                 "valid": false
             },
             {
                 "description": "leading dot is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte",
                 "data": ".192.168.0.1",
                 "valid": false
             },
             {
                 "description": "trailing dot is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte",
                 "data": "192.168.0.1.",
                 "valid": false
             },
             {
                 "description": "minimum valid IPv4 address",
-                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT",
+                "comment": "RFC 2673, Section 3.2: decbyte = 1*3DIGIT",
                 "data": "0.0.0.0",
                 "valid": true
             },
             {
                 "description": "maximum valid IPv4 address",
-                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %d49-57 DIGIT / '1' 2DIGIT / '2' %d48-52 DIGIT / '25' %d48-53",
+                "comment": "RFC 2673, Section 3.2: decbyte = 1*3DIGIT",
                 "data": "255.255.255.255",
                 "valid": true
             },
             {
                 "description": "empty string is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad requires 4 decbytes",
                 "data": "",
                 "valid": false
             },
             {
                 "description": "plus sign is invalid",
-                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %d49-57 DIGIT / '1' 2DIGIT / '2' %d48-52 DIGIT / '25' %d48-53",
+                "comment": "RFC 2673, Section 3.2: decbyte = 1*3DIGIT (forbids symbols)",
                 "data": "+1.2.3.4",
                 "valid": false
             },
             {
                 "description": "negative sign is invalid",
-                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %d49-57 DIGIT / '1' 2DIGIT / '2' %d48-52 DIGIT / '25' %d48-53",
+                "comment": "RFC 2673, Section 3.2: decbyte = 1*3DIGIT (forbids symbols)",
                 "data": "-1.2.3.4",
                 "valid": false
             },
             {
                 "description": "exponential notation is invalid",
-                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %d49-57 DIGIT / '1' 2DIGIT / '2' %d48-52 DIGIT / '25' %d48-53",
+                "comment": "RFC 2673, Section 3.2: decbyte = 1*3DIGIT (forbids alpha)",
                 "data": "1e2.0.0.1",
                 "valid": false
             },
             {
                 "description": "alpha characters are invalid",
-                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %d49-57 DIGIT / '1' 2DIGIT / '2' %d48-52 DIGIT / '25' %d48-53",
+                "comment": "RFC 2673, Section 3.2: decbyte = 1*3DIGIT (forbids alpha)",
                 "data": "192.168.a.1",
                 "valid": false
             },
             {
                 "description": "internal whitespace is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte",
                 "data": "192. 168.0.1",
                 "valid": false
             },
             {
                 "description": "tab character is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte",
                 "data": "192.168.0.1\t",
                 "valid": false
             },
             {
                 "description": "with port number is invalid",
-                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet \".\" dec-octet \".\" dec-octet",
+                "comment": "RFC 2673, Section 3.2: dotted-quad = decbyte \".\" decbyte \".\" decbyte \".\" decbyte",
                 "data": "192.168.0.1:80",
                 "valid": false
             },
             {
                 "description": "single octet out of range in last position",
-                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %d49-57 DIGIT / '1' 2DIGIT / '2' %d48-52 DIGIT / '25' %d48-53",
+                "comment": "RFC 2673 limits the semantic value of decbyte to 255.",
                 "data": "192.168.0.256",
                 "valid": false
             }
diff --git a/tests/draft2020-12/optional/format/uri-reference.json b/tests/draft2020-12/optional/format/uri-reference.json
@@ -80,6 +80,24 @@
                 "description": "invalid backslash character",
                 "data": "https://example.org/foobar\\.txt",
                 "valid": false
+            },
+            {
+                "description": "URI Reference containing IPv4 with leading zero in last octet is invalid",
+                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet... where dec-octet forbids leading zeros to prevent octal parsing.",
+                "data": "http://192.168.0.01/",
+                "valid": false
+            },
+            {
+                "description": "URI Reference containing IPv4 with leading zero in first octet is invalid",
+                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %x31-39 DIGIT...",
+                "data": "http://01.1.1.1/",
+                "valid": false
+            },
+            {
+                "description": "URI Reference containing valid strict IPv4",
+                "comment": "RFC 3986, Section 3.2.2: strictly formatted IPv4 literal in host component",
+                "data": "http://192.168.0.1/",
+                "valid": true
             }
         ]
     }
diff --git a/tests/draft2020-12/optional/format/uri.json b/tests/draft2020-12/optional/format/uri.json
@@ -185,6 +185,24 @@
                 "description": "invalid | character",
                 "data": "https://example.org/foobar|.txt",
                 "valid": false
+            },
+            {
+                "description": "URI containing IPv4 with leading zero in last octet is invalid",
+                "comment": "RFC 3986, Section 3.2.2: IPv4address = dec-octet \".\" dec-octet... where dec-octet forbids leading zeros to prevent octal parsing.",
+                "data": "http://192.168.0.01/",
+                "valid": false
+            },
+            {
+                "description": "URI containing IPv4 with leading zero in first octet is invalid",
+                "comment": "RFC 3986, Section 3.2.2: dec-octet = DIGIT / %x31-39 DIGIT...",
+                "data": "http://01.1.1.1/",
+                "valid": false
+            },
+            {
+                "description": "URI containing valid strict IPv4",
+                "comment": "RFC 3986, Section 3.2.2: strictly formatted IPv4 literal in host component",
+                "data": "http://192.168.0.1/",
+                "valid": true
             }
         ]
     }
