fix: detect private IPv6 addresses in dns output

package.json

@@ -16,6 +16,7 @@
 		"execa": "^7.2.0",
 		"got": "^12.6.1",
 		"http2-wrapper": "^2.2.1",
+		"ip-regex": "^5.0.0",
 		"joi": "^17.13.1",
 		"lodash": "^4.17.21",
 		"nvm": "github:nvm-sh/nvm",

src/command/handlers/dig/classic.ts

@@ -3,7 +3,7 @@ import { InternalError } from '../../../lib/internal-error.js';
 import {
 	SECTION_REG_EXP,
 	NEW_LINE_REG_EXP,
-	IPV4_REG_EXP,
+	IP_REG_EXP,
 	SharedDigParser,
 	type DnsSection,
 	type DnsParseLoopResponse,
@@ -39,7 +39,7 @@ export const ClassicDigParser = {
 		let output = rawOutput;
 
 		if (lines.length <= 2) {
-			const ipMatchList = rawOutput.match(IPV4_REG_EXP) ?? [];
+			const ipMatchList = rawOutput.match(IP_REG_EXP) ?? [];
 
 			for (const ip of ipMatchList) {
 				if (isIpPrivate(ip)) {

src/command/handlers/dig/shared.ts

@@ -1,3 +1,5 @@
+import ipRegex from 'ip-regex';
+
 export type DnsValueType = string;
 
 export type DnsSection = Record<string, unknown> | {
@@ -28,7 +30,7 @@ export const isDnsSection = (output: unknown): output is DnsSection => typeof (o
 
 export const SECTION_REG_EXP = /(;; )(\S+)( SECTION:)/g;
 export const NEW_LINE_REG_EXP = /\r?\n/;
-export const IPV4_REG_EXP = /(\b25[0-5]|\b2[0-4]\d|\b[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3}/g;
+export const IP_REG_EXP = ipRegex();
 
 export const SharedDigParser = {
 	parseSection (values: string[]): DnsSection {

test/mocks/ipv6-dns-connection-refused-private-error-linux.json

@@ -0,0 +1,15 @@
+{
+	"testId": "test",
+	"measurementId": "measurement",
+	"result": {
+		"status": "failed",
+		"statusCodeName": null,
+		"statusCode": null,
+		"rawOutput": ";; Connection to x.x.x.x#212(x.x.x.x) for abc.com failed: connection refused.",
+		"answers": [],
+		"resolver": null,
+		"timings": {
+			"total": 0
+		}
+	}
+}

test/mocks/ipv6-dns-connection-refused-private-error-linux.txt

@@ -0,0 +1 @@
+;; Connection to fd00::2#212(fd00::2) for abc.com failed: connection refused.

test/mocks/ipv6-dns-resolved-private-ip-invalid-hostname-linux.json

@@ -0,0 +1,15 @@
+{
+	"testId": "test",
+	"measurementId": "measurement",
+	"result": {
+		"status": "failed",
+		"statusCodeName": null,
+		"statusCode": null,
+		"rawOutput": "Private IP ranges are not allowed",
+		"answers": [],
+		"timings": {
+			"total": 0
+		},
+		"resolver": "private"
+	}
+}

test/mocks/ipv6-dns-resolved-private-ip-invalid-hostname-linux.txt

@@ -0,0 +1,18 @@
+; <<>> DiG 9.16.1-Ubuntu <<>> dev.home -t AAAA -p 53 -4 +timeout=3 +tries=2 +nocookie
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21105
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 65494
+;; QUESTION SECTION:
+;dev.home.		IN	AAAA
+
+;; ANSWER SECTION:
+dev.home.	0	IN	AAAA	fd00::3
+
+;; Query time: 0 msec
+;; SERVER: fd00::2#53(fd00::2)
+;; WHEN: Thu May 12 08:15:15 BST 2022
+;; MSG SIZE  rcvd: 64

test/mocks/ipv6-dns-resolved-private-ip-linux.json

@@ -0,0 +1,23 @@
+{
+	"testId": "test",
+	"measurementId": "measurement",
+	"result": {
+		"status": "finished",
+		"statusCodeName": "NOERROR",
+		"statusCode": 0,
+		"rawOutput": "; <<>> DiG 9.16.1-Ubuntu <<>> gitlab.test.com -t AAAA -p 53 -4 +timeout=3 +tries=2 +nocookie\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21105\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 65494\n;; QUESTION SECTION:\n;gitlab.test.com.\t\tIN\tAAAA\n\n;; ANSWER SECTION:\ngitlab.test.com.\t0\tIN\tAAAA\tfd00::3\n\n;; Query time: 0 msec\n;; SERVER: x.x.x.x#53(x.x.x.x)\n;; WHEN: Thu May 12 08:15:15 BST 2022\n;; MSG SIZE  rcvd: 64\n",
+		"answers": [
+			{
+				"name": "gitlab.test.com.",
+				"type": "AAAA",
+				"ttl": 0,
+				"class": "IN",
+				"value": "fd00::3"
+			}
+		],
+		"timings": {
+			"total": 0
+		},
+		"resolver": "private"
+	}
+}

test/mocks/ipv6-dns-resolved-private-ip-linux.txt

@@ -0,0 +1,18 @@
+; <<>> DiG 9.16.1-Ubuntu <<>> gitlab.test.com -t AAAA -p 53 -4 +timeout=3 +tries=2 +nocookie
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21105
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 65494
+;; QUESTION SECTION:
+;gitlab.test.com.		IN	AAAA
+
+;; ANSWER SECTION:
+gitlab.test.com.	0	IN	AAAA	fd00::3
+
+;; Query time: 0 msec
+;; SERVER: fd00::2#53(fd00::2)
+;; WHEN: Thu May 12 08:15:15 BST 2022
+;; MSG SIZE  rcvd: 64

test/mocks/ipv6-dns-trace-resolved-private-ip-invalid-hostname-linux.json

@@ -0,0 +1,9 @@
+{
+	"testId": "test",
+	"measurementId": "measurement",
+	"result": {
+		"status": "failed",
+		"rawOutput": "Private IP ranges are not allowed",
+		"hops": []
+	}
+}

test/mocks/ipv6-dns-trace-resolved-private-ip-invalid-hostname-linux.txt

@@ -0,0 +1,48 @@
+; <<>> DiG 9.16.1-Ubuntu <<>> dev.home -t AAAA -p 53 -4 +timeout=3 +tries=2 +nocookie +trace
+;; global options: +cmd
+.			7112	IN	NS	i.root-servers.net.
+.			7112	IN	NS	f.root-servers.net.
+.			7112	IN	NS	k.root-servers.net.
+.			7112	IN	NS	j.root-servers.net.
+.			7112	IN	NS	b.root-servers.net.
+.			7112	IN	NS	h.root-servers.net.
+.			7112	IN	NS	m.root-servers.net.
+.			7112	IN	NS	l.root-servers.net.
+.			7112	IN	NS	d.root-servers.net.
+.			7112	IN	NS	a.root-servers.net.
+.			7112	IN	NS	g.root-servers.net.
+.			7112	IN	NS	e.root-servers.net.
+.			7112	IN	NS	c.root-servers.net.
+;; Received 262 bytes from fd00::2#53(fd00::2) in 0 ms
+
+com.			172800	IN	NS	l.gtld-servers.net.
+com.			172800	IN	NS	b.gtld-servers.net.
+com.			172800	IN	NS	c.gtld-servers.net.
+com.			172800	IN	NS	d.gtld-servers.net.
+com.			172800	IN	NS	e.gtld-servers.net.
+com.			172800	IN	NS	f.gtld-servers.net.
+com.			172800	IN	NS	g.gtld-servers.net.
+com.			172800	IN	NS	a.gtld-servers.net.
+com.			172800	IN	NS	h.gtld-servers.net.
+com.			172800	IN	NS	i.gtld-servers.net.
+com.			172800	IN	NS	j.gtld-servers.net.
+com.			172800	IN	NS	k.gtld-servers.net.
+com.			172800	IN	NS	m.gtld-servers.net.
+com.			86400	IN	DS	30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
+com.			86400	IN	RRSIG	DS 8 1 86400 20220525050000 20220512040000 47671 . IP0WlNuvPbnRjMfGp9OqPhC+i5mw4487jWFOZTgTwP23DePe+pRxfTVZ Q4IRq11HEAMKooV8XgVsUAFgbM4bP+pkQMYErEAtlTEPdjN13pCpRRZ9 33li168gd1Ml2ZAJUWftLBqabkwIV7I9Elkek0PYYk1iBquTo9oFTOd/ j4xtYgstpEVc8HSL9gT7bLdBgzVyoo4VgoHp5ejPnzXA+IHLIiNZ/V4I TMqiQsqkhphrXIeMHXaxvacU3zVUmwspkYDeWBBqLqBU8mnF3eDiWBnO oVYh2SmNS4REahgkHUozzjEWzeDxBabpr0Kld3DNLbCeZ6/w0PfoUzO2 V6HI3w==
+;; Received 1168 bytes from 192.5.5.241#53(f.root-servers.net) in 12 ms
+
+dev.home.		172800	IN	NS	ns1.hosting.com.
+dev.home.		172800	IN	NS	ns2.hosting.com.
+dev.home.		172800	IN	NS	ns3.hosting.com.
+CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
+CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20220519042349 20220512031349 37269 com. ovckMG+I/dsOxbSu5TzZMXqhQx2IRZLcrRWGtjjdmCbHB5z/WVAntDYB o/KFKWE2kjYy3X/bSatz6E2QrnT/B/EiNQUdfikWZ5NzzjrK8ofDrE70 g/DQ5JWy4/zKPzIFkU2mllUN4zOgWlo2jT8qnrLSfEQG5QSlXCdr2TAi IUk8QQmY8id8rvX/D27sYIrbR6LReGBzp1k5LfjNdMtL8A==
+9P65273NEARA1FQBRRO26V0EPVQ2LA54.com. 86400 IN NSEC3 1 1 0 - 9P65GSAAC7FOO9V3FCBMSCNFASB92T6C NS DS RRSIG
+9P65273NEARA1FQBRRO26V0EPVQ2LA54.com. 86400 IN RRSIG NSEC3 8 2 86400 20220517050851 20220510035851 37269 com. RaFbNWPef2xfX6hL168bYLlHv/S3abPKmZTo3UodL4yd/AR5X4QixQog e+vQuS0s10DcRJklIZFkk1FYPalqGbf2vq3PD3KawfwA6fbF3FCHEpAL 4ul436Mi+qgtGhovX74dTwvXl/TZM1przDD6j7nnhj2tAMAl97qw7m7t 3fClOy/nDwWAbu5sFY8A9rZkqM+E6idtkag9vtOlt117hA==
+;; Received 696 bytes from 192.35.51.30#53(f.gtld-servers.net) in 28 ms
+
+dev.home.		3600	IN	AAAA	fd00::3
+dev.home.		3600	IN	NS	    ns2.hosting.com.
+dev.home.		3600	IN	NS  	ns1.hosting.com.
+dev.home.		3600	IN	NS	    ns3.hosting.com.
+;; Received 163 bytes from 216.74.36.1#53(ns3.hosting.com) in 156 ms