Spring Invalid IPv6 Address with X-Forwarded-For leads to number format exception

Affects: Spring Web 5.3.5

---

Hi Spring Team,

we run our Spring Boot Application using Spring Boot 2.4.4 which includes spring-web-5.3.5 in Google Cloud run. Every IPv6 address that do not end with only numeric values lead to an internal server error due to a number format exception. For example, this IPv6 address 2a02:918:175:ab60:45ee:c12c:dac1:808b leads to a number format exception: as 808b is interpreted as the port. We know that the IPv6 address is invalid due to https://tools.ietf.org/html/rfc7239#section-6 and should be in the format of [2a02:918:175:ab60:45ee:c12c:dac1:808b]. Therefore we also raised an issue at Google (https://issuetracker.google.com/issues/184230536).

Regardless, I wanted to discuss whether better error handling would be useful here:

public static InetSocketAddress parseForwardedFor(HttpRequest request, @Nullable InetSocketAddress remoteAddress) {

        int port = (remoteAddress != null ?
                remoteAddress.getPort() : "https".equals(request.getURI().getScheme()) ? 443 : 80);

        String forwardedHeader = request.getHeaders().getFirst("Forwarded");
        if (StringUtils.hasText(forwardedHeader)) {
            String forwardedToUse = StringUtils.tokenizeToStringArray(forwardedHeader, ",")[0];
            Matcher matcher = FORWARDED_FOR_PATTERN.matcher(forwardedToUse);
            if (matcher.find()) {
                String value = matcher.group(1).trim();
                String host = value;
                int portSeparatorIdx = value.lastIndexOf(':');
                if (portSeparatorIdx > value.lastIndexOf(']')) {
                    host = value.substring(0, portSeparatorIdx);
                    port = Integer.parseInt(value.substring(portSeparatorIdx + 1));
                }
                return new InetSocketAddress(host, port);
            }
        }

I would suggest to enforce the format described in RFC-7239 and if not, throw an exception describing the reason.

Kind Regards, Florian

Comment From: rstoyanchev

I've added a validation resulting in IllegalArgumentException.

Comment From: sahi1422

I am also facing the same issue but failed to find the solution :(.

@FlorianLautenschlager @rstoyanchev , do you know the fix to handle ipv6 addresses?

Comment From: FlorianLautenschlager

@sahi1422 no - sorry. We switched to AWS due to customer requirements. Was planned before the issue has occurred.