Spring Security IpAddressMatcher.matches(String address) still accepts URLs

Describe the bug Following the update to spring security 6.3.0 we were facing issues with the IpAddressMatcher in our validation steps due to the assertStartsWithHexa() method.

Before changing our implementation, we relied on the InetAddress resolution in parseAddress(..) in the same class.

The InetAddress resolution still happens if a host name is supplied instead of an IP address when it starts with a hex character. Relates to: https://github.com/spring-projects/spring-security/commit/c1adeef0dab446df4c04f51f744b2c3285309e62 and https://github.com/spring-projects/spring-security/pull/13621

To Reproduce Use the matches() method with a host name that starts with a character valid in the hex system.

Expected behavior IP Address format is enforced ?

Sample

[...]
var mask = List.of("0.0.0.0/8");
var matcher = new IpAddressMatcher(mask);
matcher.matches("example.org"); //does not throw an error
[...]

Comment From: jzheaux

Thanks, @hkamp-dev, this is now fixed and will go out in the next milestone release. Will you please see if the 6.3.1-SNAPSHOT works for you?

Comment From: hkamp-dev

Hi @jzheaux, thanks for taking a look and fixing it. Works great for me! Cheers!